summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPatrick Georgi <pgeorgi@google.com>2018-09-18 18:01:02 +0200
committerPatrick Georgi <pgeorgi@google.com>2018-11-06 14:07:58 +0000
commitd840e2b3f019cd37920d6a2ca3c4cfd6f5432699 (patch)
tree972525518a8e8d29f949e33153b7a92c7a8d12f6
parentd13b41124b37ae9e86169c55dd9ff7ca1e972ec4 (diff)
src/lib/edid: avoid buffer overflow
It's more theoretical, but lest somebody calls extract_string() with too large a length... Change-Id: I3934bd6965318cdffe5c636b01b3e0c4426e8d1d Signed-off-by: Patrick Georgi <pgeorgi@google.com> Found-by: Coverity Scan #1374795 Reviewed-on: https://review.coreboot.org/28659 Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net> Reviewed-by: Angel Pons <th3fanbus@gmail.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
-rw-r--r--src/lib/edid.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/src/lib/edid.c b/src/lib/edid.c
index fbd8ef65f5..957897ef52 100644
--- a/src/lib/edid.c
+++ b/src/lib/edid.c
@@ -175,12 +175,12 @@ detailed_cvt_descriptor(unsigned char *x, int first)
static char *
extract_string(unsigned char *x, int *valid_termination, int len)
{
- static char ret[128];
+ static char ret[EDID_ASCII_STRING_LENGTH + 1];
int i, seen_newline = 0;
memset(ret, 0, sizeof(ret));
- for (i = 0; i < len; i++) {
+ for (i = 0; i < min(len, EDID_ASCII_STRING_LENGTH); i++) {
if (seen_newline) {
if (x[i] != 0x20) {
*valid_termination = 0;
@@ -285,7 +285,7 @@ detailed_block(struct edid *result_edid, unsigned char *x, int in_extension,
printk(BIOS_SPEW, "Monitor name: %s\n",
extract_string(x + 5,
&c->has_valid_string_termination,
- 13));
+ EDID_ASCII_STRING_LENGTH));
return 1;
case 0xFD:
{
@@ -477,7 +477,8 @@ detailed_block(struct edid *result_edid, unsigned char *x, int in_extension,
case 0xFF:
printk(BIOS_SPEW, "Serial number: %s\n",
extract_string(x + 5,
- &c->has_valid_string_termination, 13));
+ &c->has_valid_string_termination,
+ EDID_ASCII_STRING_LENGTH));
return 1;
default:
printk(BIOS_SPEW,