[PATCH] fbsplash-Fix-tainted-fd_drawimage-forHeight in fbsplash.c:442

[Сергей Губарёв]

From: Sergey Gubarev <sergeygubarev263 at gmail.com>

Good day, dear maintainer.

The value of the variable h (used for rendering height), obtained from an
external source, may be corrupted.

I suggest considering adding a validation check for the received value.


Busybox 1.36.0
---
 busybox/miscutils/fbsplash.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/busybox/miscutils/fbsplash.c b/busybox/miscutils/fbsplash.c
index 2934d8e..72282c0 100644
--- a/busybox/miscutils/fbsplash.c
+++ b/busybox/miscutils/fbsplash.c
@@ -401,6 +401,7 @@ static void fb_drawimage(void)
         * - A raster of Width * Height pixels in triplets of rgb
         *   in pure binary by 1 or 2 bytes. (we support only 1 byte)
         */
+#define MAX_WIDTH (((unsigned int)(-1))/3)
 #define concat_buf bb_common_bufsiz1
        setup_common_bufsiz();

@@ -419,6 +420,9 @@ static void fb_drawimage(void)
                 && max_color_val <= 255
                ) {
                        width = w; /* w is on stack, width may be in
register */
+                       if (width == 0 || width > G.scr_var.xres || width >
MAX_WIDTH ) {
+                               bb_error_msg_and_die("Invalid width in PPM
file '%s': %u", G.image_filename, w);
+                       }
                        height = h;
                        break;
                }
--
2.30.2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20250301/7ca7eb27/attachment.htm>