[PATCH 5/8] backlight: Avoid buffer overflow in the use of readline

Rob Bradford robert.bradford at intel.com
Tue Oct 9 10:44:33 PDT 2012


From: Rob Bradford <rob at linux.intel.com>

readline() returns the number of bytes that it has written excluding any NUL
byte (since it does not write that itself.) This could lead to attempting to
access beyond the end of buffer if the destination of the link is exactly 100
bytes long. The standard solution to this is to subtract one from the buffer
when passing it into readlink().

Signed-off-by: Rob Bradford <rob at linux.intel.com>
---
 src/libbacklight.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/libbacklight.c b/src/libbacklight.c
index 37f4bcc..c432c6e 100644
--- a/src/libbacklight.c
+++ b/src/libbacklight.c
@@ -166,7 +166,7 @@ struct backlight *backlight_init(struct udev_device *drm_device,
 	if (asprintf(&path, "%s/%s", syspath, "device") < 0)
 		return NULL;
 
-	ret = readlink(path, buffer, sizeof(buffer));
+	ret = readlink(path, buffer, sizeof(buffer) - 1);
 	free(path);
 	if (ret < 0)
 		return NULL;
@@ -248,7 +248,7 @@ struct backlight *backlight_init(struct udev_device *drm_device,
 		if (asprintf(&path, "%s/%s", backlight_path, "device") < 0)
 			return NULL;
 
-		ret = readlink(path, buffer, sizeof(buffer));
+		ret = readlink(path, buffer, sizeof(buffer) - 1);
 
 		if (ret < 0)
 			goto out;
-- 
1.7.11.2



More information about the wayland-devel mailing list