[PATCH 5/8] backlight: Avoid buffer overflow in the use of readline
Kristian Høgsberg
hoegsberg at gmail.com
Tue Oct 9 19:56:12 PDT 2012
On Tue, Oct 09, 2012 at 06:44:33PM +0100, Rob Bradford wrote:
> From: Rob Bradford <rob at linux.intel.com>
>
> readline() returns the number of bytes that it has written excluding any NUL
> byte (since it does not write that itself.) This could lead to attempting to
> access beyond the end of buffer if the destination of the link is exactly 100
> bytes long. The standard solution to this is to subtract one from the buffer
> when passing it into readlink().
Very nice, thanks. I fixed the confusing readline/readlink typo in
the commit message :)
Kristian
> Signed-off-by: Rob Bradford <rob at linux.intel.com>
> ---
> src/libbacklight.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/src/libbacklight.c b/src/libbacklight.c
> index 37f4bcc..c432c6e 100644
> --- a/src/libbacklight.c
> +++ b/src/libbacklight.c
> @@ -166,7 +166,7 @@ struct backlight *backlight_init(struct udev_device *drm_device,
> if (asprintf(&path, "%s/%s", syspath, "device") < 0)
> return NULL;
>
> - ret = readlink(path, buffer, sizeof(buffer));
> + ret = readlink(path, buffer, sizeof(buffer) - 1);
> free(path);
> if (ret < 0)
> return NULL;
> @@ -248,7 +248,7 @@ struct backlight *backlight_init(struct udev_device *drm_device,
> if (asprintf(&path, "%s/%s", backlight_path, "device") < 0)
> return NULL;
>
> - ret = readlink(path, buffer, sizeof(buffer));
> + ret = readlink(path, buffer, sizeof(buffer) - 1);
>
> if (ret < 0)
> goto out;
> --
> 1.7.11.2
>
> _______________________________________________
> wayland-devel mailing list
> wayland-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/wayland-devel
More information about the wayland-devel
mailing list