Skip to content

Commit

Permalink
stdio/lib_libfread: Fix buffer overflow issue
Browse files Browse the repository at this point in the history 
If the gulp size in the stdio buffer the remaining user buffer size it will:
- Corrupt memory in dest (user memory) and
- Keep corrupting KERNEL memory via the stdio character buffer until the
  whole system crashes, as the 'remaining' count underflows

This patch fixes this behavior.
  • Loading branch information
@pussuw @xiaoxiang781216
pussuw authored and xiaoxiang781216 committed Sep 13, 2023
1 parent 7a9d3c0 commit c178fa3
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions libs/libc/stdio/lib_libfread_unlocked.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,11 +126,11 @@ ssize_t lib_fread_unlocked(FAR void *ptr, size_t count, FAR FILE *stream)

if (gulp_size > 0)
{
if (gulp_size > count)
if (gulp_size > remaining)
{
/* Clip the gulp size to the requested byte count */

gulp_size = count;
gulp_size = remaining;
}

memcpy(dest, stream->fs_bufpos, gulp_size);
Expand Down

0 comments on commit c178fa3

Please sign in to comment.