46 lines
2.2 KiB
Diff
46 lines
2.2 KiB
Diff
From 6a15ce2b3eb852023d77787f96c6a4a72eb4d60d Mon Sep 17 00:00:00 2001
|
|
From: David Herrmann <dh.herrmann@gmail.com>
|
|
Date: Thu, 2 Oct 2014 17:09:05 +0200
|
|
Subject: [PATCH] terminal/grdev: simplify DRM event parsing
|
|
|
|
Coverity complained about this code and is partially right. We are not
|
|
really protected against integer overflows. Sure, unlikely, but lets just
|
|
avoid any overflows and properly protect our parser loop.
|
|
---
|
|
src/libsystemd-terminal/grdev-drm.c | 12 +++++-------
|
|
1 file changed, 5 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/src/libsystemd-terminal/grdev-drm.c b/src/libsystemd-terminal/grdev-drm.c
|
|
index 7a6e1d993b..6b130116d7 100644
|
|
--- a/src/libsystemd-terminal/grdev-drm.c
|
|
+++ b/src/libsystemd-terminal/grdev-drm.c
|
|
@@ -2195,7 +2195,8 @@ static int grdrm_card_io_fn(sd_event_source *s, int fd, uint32_t revents, void *
|
|
uint32_t id, counter;
|
|
grdrm_object *object;
|
|
char buf[4096];
|
|
- ssize_t l, i;
|
|
+ size_t len;
|
|
+ ssize_t l;
|
|
|
|
if (revents & (EPOLLHUP | EPOLLERR)) {
|
|
/* Immediately close device on HUP; no need to flush pending
|
|
@@ -2214,15 +2215,12 @@ static int grdrm_card_io_fn(sd_event_source *s, int fd, uint32_t revents, void *
|
|
log_debug("grdrm: %s/%s: read error: %m", card->base.session->name, card->base.name);
|
|
grdrm_card_close(card);
|
|
return 0;
|
|
- } else if ((size_t)l < sizeof(*event)) {
|
|
- log_debug("grdrm: %s/%s: short read of %zd bytes", card->base.session->name, card->base.name, l);
|
|
- return 0;
|
|
}
|
|
|
|
- for (i = 0; i < l; i += event->length) {
|
|
- event = (void*)&buf[i];
|
|
+ for (len = l; len > 0; len -= event->length) {
|
|
+ event = (void*)buf;
|
|
|
|
- if (i + (ssize_t)sizeof(*event) > l || i + (ssize_t)event->length > l) {
|
|
+ if (len < sizeof(*event) || len < event->length) {
|
|
log_debug("grdrm: %s/%s: truncated event", card->base.session->name, card->base.name);
|
|
break;
|
|
}
|