fix array-of-out-bounds writes

fixing two dangerous (unguarded) array writes that can cause stack corruption
2023-01-02 22:38:22 +01:00
parent e4789cbedd
commit 7c1b655ca3
2 changed files with 4 additions and 4 deletions
--- a/wled00/set.cpp
+++ b/wled00/set.cpp
@@ -658,8 +658,8 @@ void handleSettingsSet(AsyncWebServerRequest *request, byte subPage)
      strip.panel.reserve(strip.panels); // pre-allocate memory
      for (uint8_t i=0; i<strip.panels; i++) {
        WS2812FX::Panel p;
-        char pO[8]; sprintf_P(pO, PSTR("P%d"), i);
+        char pO[8] = {'\0'}; snprintf_P(pO, 8, PSTR("P%d"), i);  // WLEDMM fix potential string overflow
-        uint8_t l = strlen(pO); pO[l+1] = 0;
+        uint8_t l = strlen(pO); if ((l-1) < sizeof(pO)) pO[l+1] = 0; // WLEDMM fix array-out-of-bounds write
        pO[l] = 'B'; if (!request->hasArg(pO)) break;
        pO[l] = 'B'; p.bottomStart = request->arg(pO).toInt();
        pO[l] = 'R'; p.rightStart  = request->arg(pO).toInt();
--- a/wled00/xml.cpp
+++ b/wled00/xml.cpp
@@ -781,8 +781,8 @@ void getSettingsJS(byte subPage, char* dest)
        oappend(SET_F("addPanel("));
        oappend(itoa(i,n,10));
        oappend(SET_F(");"));
-        char pO[8]; sprintf_P(pO, PSTR("P%d"), i);
+        char pO[8] = {'\0'}; snprintf_P(pO, 8, PSTR("P%d"), i);  // WLEDMM fix potential string overflow
-        uint8_t l = strlen(pO); pO[l+1] = 0;
+        uint8_t l = strlen(pO); if ((l-1) < sizeof(pO)) pO[l+1] = 0; // WLEDMM fix array-out-of-bounds write
        pO[l] = 'B'; sappend('v',pO,strip.panel[i].bottomStart);
        pO[l] = 'R'; sappend('v',pO,strip.panel[i].rightStart);
        pO[l] = 'V'; sappend('v',pO,strip.panel[i].vertical);