Jan/WLED_MM_Infinity
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix array-of-out-bounds writes

Browse Source 
fixing two dangerous (unguarded) array writes that can cause stack corruption
This commit is contained in:
Frank
2023-01-02 22:38:22 +01:00
parent e4789cbedd
commit 7c1b655ca3
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
wled00/set.cpp
View File

@@ -658,8 +658,8 @@ void handleSettingsSet(AsyncWebServerRequest *request, byte subPage)
strip.panel.reserve(strip.panels); // pre-allocate memory
for (uint8_t i=0; i<strip.panels; i++) {
WS2812FX::Panel p;
char pO[8]; sprintf_P(pO, PSTR("P%d"), i);
uint8_t l = strlen(pO); pO[l+1] = 0;
char pO[8] = {'\0'}; snprintf_P(pO, 8, PSTR("P%d"), i); // WLEDMM fix potential string overflow
uint8_t l = strlen(pO); if ((l-1) < sizeof(pO)) pO[l+1] = 0; // WLEDMM fix array-out-of-bounds write
pO[l] = 'B'; if (!request->hasArg(pO)) break;
pO[l] = 'B'; p.bottomStart = request->arg(pO).toInt();
pO[l] = 'R'; p.rightStart = request->arg(pO).toInt();

4
wled00/xml.cpp
View File

@@ -781,8 +781,8 @@ void getSettingsJS(byte subPage, char* dest)
oappend(SET_F("addPanel("));
oappend(itoa(i,n,10));
oappend(SET_F(");"));
char pO[8]; sprintf_P(pO, PSTR("P%d"), i);
uint8_t l = strlen(pO); pO[l+1] = 0;
char pO[8] = {'\0'}; snprintf_P(pO, 8, PSTR("P%d"), i); // WLEDMM fix potential string overflow
uint8_t l = strlen(pO); if ((l-1) < sizeof(pO)) pO[l+1] = 0; // WLEDMM fix array-out-of-bounds write
pO[l] = 'B'; sappend('v',pO,strip.panel[i].bottomStart);
pO[l] = 'R'; sappend('v',pO,strip.panel[i].rightStart);
pO[l] = 'V'; sappend('v',pO,strip.panel[i].vertical);