git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Junjie Cao <junjie.cao@intel.com>
	Mon, 20 Oct 2025 13:47:01 +0000 (21:47 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 13 Nov 2025 20:36:37 +0000 (15:36 -0500)
commit	efaf89a75a29b2d179bf4fe63ca62852e93ad620
tree	d9daf76c57ba5893097e6c57ee60091df7aee0dd	tree \| snapshot
parent	d46be475242416381b6a12e31fc2c61847ce9262	commit \| diff

fbdev: bitblit: bound-check glyph index in bit_putcs*

commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream.

bit_putcs_aligned()/unaligned() derived the glyph pointer from the
character value masked by 0xff/0x1ff, which may exceed the actual font's
glyph count and read past the end of the built-in font array.
Clamp the index to the actual glyph count before computing the address.

This fixes a global out-of-bounds read reported by syzbot.

Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
Signed-off-by: Junjie Cao <junjie.cao@intel.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>