[Intel-gfx] [PATCH xf86-video-intel 8/8] intel: Fix some theoretical buffer overflow
Ville Syrjala
ville.syrjala at linux.intel.com
Sat Mar 18 13:45:44 UTC 2023
From: Ville Syrjälä <ville.syrjala at linux.intel.com>
Looks to me like the theoretical max the sprintf()s need
here is about 34+4+9+sizeof(de->d_name) bytes. Let's just
make that 64+sizeof(de->d_name) for simplicity.
This shuts up the compiler:
../src/intel_device.c: In function ‘__intel_open_device__pci’:
../src/intel_device.c:387:60: warning: ‘%s’ directive writing up to 255 bytes into a region of size 247 [-Wformat-overflow=]
387 | sprintf(path + base + 4, "/dev/dri/%s", de->d_name);
| ^~
../src/intel_device.c:387:25: note: ‘sprintf’ output between 10 and 265 bytes into a destination of size 256
387 | sprintf(path + base + 4, "/dev/dri/%s", de->d_name);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../src/intel_device.c:392:54: warning: ‘/dev’ directive writing 4 bytes into a region of size between 0 and 255 [-Wformat-overflow=]
392 | sprintf(path + base + 3, "/%s/dev", de->d_name);
| ^~~~
../src/intel_device.c:392:25: note: ‘sprintf’ output between 6 and 261 bytes into a destination of size 256
392 | sprintf(path + base + 3, "/%s/dev", de->d_name);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Ville Syrjälä <ville.syrjala at linux.intel.com>
---
src/intel_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/intel_device.c b/src/intel_device.c
index f28d3be11796..2ce2e9ad1467 100644
--- a/src/intel_device.c
+++ b/src/intel_device.c
@@ -335,9 +335,9 @@ static int __intel_open_device__major_minor(int _major, int _minor)
static int __intel_open_device__pci(const struct pci_device *pci)
{
struct stat st;
- char path[256];
- DIR *dir;
struct dirent *de;
+ char path[64+sizeof(de->d_name)];
+ DIR *dir;
int base;
int fd;
--
2.39.2
More information about the Intel-gfx
mailing list