[PATCH] fbsplash-Fix-tainted-fd_drawimage-forHeight in fbsplash.c:442
Stefan Seyfried
stefan.seyfried at googlemail.com
Sat Mar 1 15:28:15 UTC 2025
Am 01.03.25 um 13:08 schrieb Сергей Губарёв:
> From: Sergey Gubarev <sergeygubarev263 at gmail.com>
>
> Good day, dear maintainer.
>
> The value of the variable h (used for rendering height), obtained from an
> external source, may be corrupted.
>
> I suggest considering adding a validation check for the received value.
Patch does not match description, it does nothing with height.
Also, the value of height is sanity checked later, so nothing bad is
going to happen.
Well, actually the bootsplash picture might be rendered wrong if it is
corrupted, but that's to be expected anyway ;-)
Is this some crazy automatic code checking effort?
> Busybox 1.36.0
> ---
> busybox/miscutils/fbsplash.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/busybox/miscutils/fbsplash.c b/busybox/miscutils/fbsplash.c
> index 2934d8e..72282c0 100644
> --- a/busybox/miscutils/fbsplash.c
> +++ b/busybox/miscutils/fbsplash.c
> @@ -401,6 +401,7 @@ static void fb_drawimage(void)
> * - A raster of Width * Height pixels in triplets of rgb
> * in pure binary by 1 or 2 bytes. (we support only 1 byte)
> */
> +#define MAX_WIDTH (((unsigned int)(-1))/3)
> #define concat_buf bb_common_bufsiz1
> setup_common_bufsiz();
>
> @@ -419,6 +420,9 @@ static void fb_drawimage(void)
> && max_color_val <= 255
> ) {
> width = w; /* w is on stack, width may be in
> register */
> + if (width == 0 || width > G.scr_var.xres || width >
> MAX_WIDTH ) {
> + bb_error_msg_and_die("Invalid width in PPM
> file '%s': %u", G.image_filename, w);
> + }
> height = h;
> break;
> }
> --
> 2.30.2
--
Stefan Seyfried
"For a successful technology, reality must take precedence over
public relations, for nature cannot be fooled." -- Richard Feynman
More information about the busybox
mailing list