From: Ville Syrjala <ville.syrjala@linux.intel.com>
To: intel-gfx@lists.freedesktop.org
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Subject: [Intel-gfx] [PATCH xf86-video-intel 8/8] intel: Fix some theoretical buffer overflow
Date: Sat, 18 Mar 2023 15:45:44 +0200 [thread overview]
Message-ID: <20230318134544.11033-8-ville.syrjala@linux.intel.com> (raw)
In-Reply-To: <20230318134544.11033-1-ville.syrjala@linux.intel.com>
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
Looks to me like the theoretical max the sprintf()s need
here is about 34+4+9+sizeof(de->d_name) bytes. Let's just
make that 64+sizeof(de->d_name) for simplicity.
This shuts up the compiler:
../src/intel_device.c: In function ‘__intel_open_device__pci’:
../src/intel_device.c:387:60: warning: ‘%s’ directive writing up to 255 bytes into a region of size 247 [-Wformat-overflow=]
387 | sprintf(path + base + 4, "/dev/dri/%s", de->d_name);
| ^~
../src/intel_device.c:387:25: note: ‘sprintf’ output between 10 and 265 bytes into a destination of size 256
387 | sprintf(path + base + 4, "/dev/dri/%s", de->d_name);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../src/intel_device.c:392:54: warning: ‘/dev’ directive writing 4 bytes into a region of size between 0 and 255 [-Wformat-overflow=]
392 | sprintf(path + base + 3, "/%s/dev", de->d_name);
| ^~~~
../src/intel_device.c:392:25: note: ‘sprintf’ output between 6 and 261 bytes into a destination of size 256
392 | sprintf(path + base + 3, "/%s/dev", de->d_name);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
---
src/intel_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/intel_device.c b/src/intel_device.c
index f28d3be11796..2ce2e9ad1467 100644
--- a/src/intel_device.c
+++ b/src/intel_device.c
@@ -335,9 +335,9 @@ static int __intel_open_device__major_minor(int _major, int _minor)
static int __intel_open_device__pci(const struct pci_device *pci)
{
struct stat st;
- char path[256];
- DIR *dir;
struct dirent *de;
+ char path[64+sizeof(de->d_name)];
+ DIR *dir;
int base;
int fd;
--
2.39.2
next prev parent reply other threads:[~2023-03-18 13:46 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-18 13:45 [Intel-gfx] [PATCH xf86-video-intel 1/8] uxa: Switch to using crtc index instead of pipe Ville Syrjala
2023-03-18 13:45 ` [Intel-gfx] [PATCH xf86-video-intel 2/8] sna: " Ville Syrjala
2023-03-18 13:45 ` [Intel-gfx] [PATCH xf86-video-intel 3/8] sna/video: Use " Ville Syrjala
2023-03-18 13:45 ` [Intel-gfx] [PATCH xf86-video-intel 4/8] sna: Switch debugs/errors to use crtc index rather than pipe Ville Syrjala
2023-03-18 13:45 ` [Intel-gfx] [PATCH xf86-video-intel 5/8] sna/gen2: Silence compiler warn Ville Syrjala
2023-03-18 13:45 ` [Intel-gfx] [PATCH xf86-video-intel 6/8] sna/gen3: Fix 3DSTATE_PIXEL_SHADER_PROGRAM debugs Ville Syrjala
2023-03-18 13:45 ` [Intel-gfx] [PATCH xf86-video-intel 7/8] sna/gen3: Silence compiler warn Ville Syrjala
2023-03-18 13:45 ` Ville Syrjala [this message]
2023-03-18 14:15 ` [Intel-gfx] ✗ Fi.CI.BUILD: failure for series starting with [xf86-video-intel,1/8] uxa: Switch to using crtc index instead of pipe Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230318134544.11033-8-ville.syrjala@linux.intel.com \
--to=ville.syrjala@linux.intel.com \
--cc=chris@chris-wilson.co.uk \
--cc=intel-gfx@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox