Dan Carpenter, le lun. 15 avril 2024 14:02:23 +0300, a ecrit:
> The "buf" pointer is an array of u16 values. This code should be
> using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),
> otherwise it can the still got out of bounds.
>
> Fixes: c8d2f34ea96e ("speakup: Avoid crash on very long word")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Reviewed-by: Samuel Thibault <samuel.thibault@xxxxxxxxxxxx
Thanks!
> ---
> drivers/accessibility/speakup/main.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/accessibility/speakup/main.c b/drivers/accessibility/speakup/main.c
> index 736c2eb8c0f3..f677ad2177c2 100644
> --- a/drivers/accessibility/speakup/main.c
> +++ b/drivers/accessibility/speakup/main.c
> @@ -574,7 +574,7 @@ static u_long get_word(struct vc_data *vc)
> }
> attr_ch = get_char(vc, (u_short *)tmp_pos, &spk_attr);
> buf[cnt++] = attr_ch;
> - while (tmpx < vc->vc_cols - 1 && cnt < sizeof(buf) - 1) {
> + while (tmpx < vc->vc_cols - 1 && cnt < ARRAY_SIZE(buf) - 1) {
> tmp_pos += 2;
> tmpx++;
> ch = get_char(vc, (u_short *)tmp_pos, &temp);
> --
> 2.43.0
>
