lib/display_options: avoid illegal memory access

display_options_get_banner_priv() overwrites bytes before the start of the
buffer if the buffer size is less then 3. This case occurs in the Sandbox
when executing the `ut_print` command.

Correctly handle small buffer sizes. Adjust the print unit test to catch
when bytes before the buffer are overwritten.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
This commit is contained in:
Heinrich Schuchardt 2019-04-26 18:39:00 +02:00 committed by Tom Rini
parent ed885e752f
commit 6c74e94a65
2 changed files with 13 additions and 7 deletions

View file

@ -23,7 +23,9 @@ char *display_options_get_banner_priv(bool newlines, const char *build_tag,
build_tag); build_tag);
if (len > size - 3) if (len > size - 3)
len = size - 3; len = size - 3;
strcpy(buf + len, "\n\n"); if (len < 0)
len = 0;
snprintf(buf + len, size - len, "\n\n");
return buf; return buf;
} }

View file

@ -79,14 +79,18 @@ static int do_ut_print(cmd_tbl_t *cmdtp, int flag, int argc,
assert(s == str); assert(s == str);
assert(!strcmp("\n\nU-Boo\n\n", s)); assert(!strcmp("\n\nU-Boo\n\n", s));
s = display_options_get_banner(true, str, 1); /* Assert that we do not overwrite memory before the buffer */
assert(s == str); str[0] = '`';
assert(!strcmp("", s)); s = display_options_get_banner(true, str + 1, 1);
assert(s == str + 1);
assert(!strcmp("`", str));
s = display_options_get_banner(true, str, 2); str[0] = '~';
assert(s == str); s = display_options_get_banner(true, str + 1, 2);
assert(!strcmp("\n", s)); assert(s == str + 1);
assert(!strcmp("~\n", str));
/* The last two characters are set to \n\n for all buffer sizes > 2 */
s = display_options_get_banner(false, str, sizeof(str)); s = display_options_get_banner(false, str, sizeof(str));
assert(s == str); assert(s == str);
assert(!strcmp("U-Boot \n\n", s)); assert(!strcmp("U-Boot \n\n", s));