Gitiles
Code Review Sign In
review.coreboot.org / coreboot / d840e2b3f019cd37920d6a2ca3c4cfd6f5432699^! / . / src / lib / edid.c
commitd840e2b3f019cd37920d6a2ca3c4cfd6f5432699[log] [tgz]
authorPatrick Georgi <pgeorgi@google.com>Tue Sep 18 18:01:02 2018 +0200
committerPatrick Georgi <pgeorgi@google.com>Tue Nov 06 14:07:58 2018 +0000
tree972525518a8e8d29f949e33153b7a92c7a8d12f6
parentd13b41124b37ae9e86169c55dd9ff7ca1e972ec4 [diff] [blame]
src/lib/edid: avoid buffer overflow

It's more theoretical, but lest somebody calls extract_string()
with too large a length...

Change-Id: I3934bd6965318cdffe5c636b01b3e0c4426e8d1d
Signed-off-by: Patrick Georgi <pgeorgi@google.com>
Found-by: Coverity Scan #1374795
Reviewed-on: https://review.coreboot.org/28659
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>

diff --git a/src/lib/edid.c b/src/lib/edid.c
index fbd8ef6..957897e 100644
--- a/src/lib/edid.c
+++ b/src/lib/edid.c

@@ -175,12 +175,12 @@
 static char *
 extract_string(unsigned char *x, int *valid_termination, int len)
 {
-	static char ret[128];
+	static char ret[EDID_ASCII_STRING_LENGTH + 1];
 	int i, seen_newline = 0;
 
 	memset(ret, 0, sizeof(ret));
 
-	for (i = 0; i < len; i++) {
+	for (i = 0; i < min(len, EDID_ASCII_STRING_LENGTH); i++) {
 		if (seen_newline) {
 			if (x[i] != 0x20) {
 				*valid_termination = 0;
@@ -285,7 +285,7 @@
 			printk(BIOS_SPEW, "Monitor name: %s\n",
 			       extract_string(x + 5,
 					      &c->has_valid_string_termination,
-					      13));
+					      EDID_ASCII_STRING_LENGTH));
 			return 1;
 		case 0xFD:
 		{
@@ -477,7 +477,8 @@
 		case 0xFF:
 			printk(BIOS_SPEW, "Serial number: %s\n",
 			       extract_string(x + 5,
-			       &c->has_valid_string_termination, 13));
+			       &c->has_valid_string_termination,
+			       EDID_ASCII_STRING_LENGTH));
 			return 1;
 		default:
 			printk(BIOS_SPEW,