]> git.ipfire.org Git - thirdparty/plymouth.git/commitdiff
main: Fix out of bounds write
authorRay Strode <rstrode@redhat.com>
Fri, 22 Dec 2023 15:12:32 +0000 (10:12 -0500)
committerRay Strode <halfline@gmail.com>
Fri, 22 Dec 2023 15:51:48 +0000 (15:51 +0000)
There's currently an out of bounds write when copying dmesg to to
the boot buffer.

This is because there's a newline and a terminating NUL and only
one of the two was being accounted for.

This commit fixes the problem by dropping strcat/strcpy and using
printf style functions instead.

Spotted by Ilya K.

src/main.c

index 09ca685440db5a3bde4d60cfcf2073253bc9e801..ead5ec5a9a61a20e2676bf4424c721cee965b1a1 100644 (file)
@@ -1465,16 +1465,12 @@ void
 on_new_kmsg_message (state_t        *state,
                      kmsg_message_t *kmsg_message)
 {
-        long size = strlen (kmsg_message->message) + 1;
-        char output[size];
+        ply_buffer_append (state->boot_buffer, "%s\n", kmsg_message->message);
 
-        strcpy (output, kmsg_message->message);
-        strcat (output, "\n");
-
-        ply_buffer_append_bytes (state->boot_buffer, output, size);
-
-        if (state->boot_splash != NULL)
-                ply_boot_splash_update_output (state->boot_splash, output, size);
+        if (state->boot_splash != NULL) {
+                ply_boot_splash_update_output (state->boot_splash, kmsg_message->message, strlen (kmsg_message->message));
+                ply_boot_splash_update_output (state->boot_splash, "\n", 1);
+        }
 }
 
 static bool