Jan/WLED_MM_Infinity
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bugfix for #272 (only affects rotary usermod)

Browse Source 
Refactor name copying logic to avoid use-after-free issue.
This commit is contained in:
Frank
2025-10-25 16:52:42 +02:00
committed by GitHub
parent 60878305fb
commit f78edc43dc
1 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
wled00/util.cpp
View File

@@ -340,10 +340,14 @@ uint8_t extractModeSlider(uint8_t mode, uint8_t slider, char *dest, uint8_t maxL
strncpy_P(dest, tmpstr, maxLen); // copy the name into buffer (replacing previous) strncpy_P(dest, tmpstr, maxLen); // copy the name into buffer (replacing previous)
dest[maxLen-1] = '\0'; dest[maxLen-1] = '\0';
} else { } else {
if (nameEnd<0) tmpstr = names.substring(nameBegin).c_str(); // did not find ",", last name? // WLEDMM bugfix for WLED-MM #272
else tmpstr = names.substring(nameBegin, nameEnd).c_str(); // names.substring(...).c_str() returns a pointer to a temporary; its invalid by the next statement. Added result buffer "sub" to avoid use-after-free
strlcpy(dest, tmpstr, maxLen); // copy the name into buffer (replacing previous) // if (nameEnd<0) tmpstr = names.substring(nameBegin).c_str(); // did not find ",", last name?
} // else tmpstr = names.substring(nameBegin, nameEnd).c_str();
// strlcpy(dest, tmpstr, maxLen); // copy the name into buffer (replacing previous)
String sub = (nameEnd<0) ? names.substring(nameBegin) : names.substring(nameBegin, nameEnd);
strlcpy(dest, sub.c_str(), maxLen); // copy the name into buffer (replacing previous)
}
} }
nameBegin = nameEnd+1; // next name (if "," is not found it will be 0) nameBegin = nameEnd+1; // next name (if "," is not found it will be 0)
} // next slider } // next slider