From: Greg Kroah-Hartman Date: Sat, 25 May 2024 15:00:59 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v6.9.3~43 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0788328a692c90af23a4ce4fd1c914a2114f3402;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: speakup-fix-sizeof-vs-array_size-bug.patch --- diff --git a/queue-4.19/series b/queue-4.19/series index ae483180dca..5d3c95d710e 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -1 +1,2 @@ +speakup-fix-sizeof-vs-array_size-bug.patch tty-n_gsm-fix-possible-out-of-bounds-in-gsm0_receive.patch diff --git a/queue-4.19/speakup-fix-sizeof-vs-array_size-bug.patch b/queue-4.19/speakup-fix-sizeof-vs-array_size-bug.patch new file mode 100644 index 00000000000..2d51380fb30 --- /dev/null +++ b/queue-4.19/speakup-fix-sizeof-vs-array_size-bug.patch @@ -0,0 +1,35 @@ +From 008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 15 Apr 2024 14:02:23 +0300 +Subject: speakup: Fix sizeof() vs ARRAY_SIZE() bug + +From: Dan Carpenter + +commit 008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b upstream. + +The "buf" pointer is an array of u16 values. This code should be +using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512), +otherwise it can the still got out of bounds. + +Fixes: c8d2f34ea96e ("speakup: Avoid crash on very long word") +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Reviewed-by: Samuel Thibault +Link: https://lore.kernel.org/r/d16f67d2-fd0a-4d45-adac-75ddd11001aa@moroto.mountain +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/speakup/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/speakup/main.c ++++ b/drivers/staging/speakup/main.c +@@ -577,7 +577,7 @@ static u_long get_word(struct vc_data *v + } + attr_ch = get_char(vc, (u_short *)tmp_pos, &spk_attr); + buf[cnt++] = attr_ch; +- while (tmpx < vc->vc_cols - 1 && cnt < sizeof(buf) - 1) { ++ while (tmpx < vc->vc_cols - 1 && cnt < ARRAY_SIZE(buf) - 1) { + tmp_pos += 2; + tmpx++; + ch = get_char(vc, (u_short *)tmp_pos, &temp);