[PATCH] fbsplash-Fix-tainted-fd_drawimage-forWidth in fbsplash.c:427
Stefan Seyfried
stefan.seyfried at googlemail.com
Sat Mar 1 15:25:21 UTC 2025
Am 01.03.25 um 13:06 schrieb Сергей Губарёв:
> From: Sergey Gubarev <sergeygubarev263 at gmail.com>
>
> Good day, dear maintainer.
>
> The value of the variable w (used for rendering width), obtained from an
> external source, may be corrupted and could lead to an overflow in line_size
> = width * 3.
cannot happen in reality.
Unless you have displays wider than roughly 1.43 Billion pixels.
> I suggest considering adding a validation check for the received value.
I'm missing the bloatcheck so that it can be judged if the check that
never is going to trigger is worth increasing the code size.
> Busybox 1.36.0
> ---
> busybox/miscutils/fbsplash.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/busybox/miscutils/fbsplash.c b/busybox/miscutils/fbsplash.c
> index 2934d8e..72282c0 100644
> --- a/busybox/miscutils/fbsplash.c
> +++ b/busybox/miscutils/fbsplash.c
> @@ -401,6 +401,7 @@ static void fb_drawimage(void)
> * - A raster of Width * Height pixels in triplets of rgb
> * in pure binary by 1 or 2 bytes. (we support only 1 byte)
> */
> +#define MAX_WIDTH (((unsigned int)(-1))/3)
> #define concat_buf bb_common_bufsiz1
> setup_common_bufsiz();
>
> @@ -419,6 +420,9 @@ static void fb_drawimage(void)
> && max_color_val <= 255
> ) {
> width = w; /* w is on stack, width may be in
> register */
> + if (width == 0 || width > G.scr_var.xres || width >
> MAX_WIDTH ) {
> + bb_error_msg_and_die("Invalid width in PPM
> file '%s': %u", G.image_filename, w);
> + }
> height = h;
> break;
> }
> --
> 2.30.2
--
Stefan Seyfried
"For a successful technology, reality must take precedence over
public relations, for nature cannot be fooled." -- Richard Feynman
More information about the busybox
mailing list