vt: Fix a read-past-array in vc_t416_color().
authorAdam Borowski <kilobyte@angband.pl>
Thu, 15 Sep 2016 14:47:09 +0000 (16:47 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 22 Sep 2016 09:41:54 +0000 (11:41 +0200)
This makes it show up on UBSAN:
perl -e 'for (0..15) {my @x=("0")x$_;push @x,qw(38 2 64 128 192 4);printf
"\e[%smAfter %d zeroes.\e[0m\n", join(";",@x[0..($_+5<15?$_+5:15)]), $_}'

Seems harmless: if you can programmatically read attributes of a vt
character (/dev/vcsa*), multiple probes can obtain parts of vt_mode then
lowest byte (5th on 64-bit big-endian) of a pointer.

Signed-off-by: Adam Borowski <kilobyte@angband.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/tty/vt/vt.c

index 2705ca960e92ea89075b3849839c31202077a276..b51586fea4e84b11fea1f58b05ab1b2f3f67095a 100644 (file)
@@ -1316,7 +1316,7 @@ static int vc_t416_color(struct vc_data *vc, int i,
                /* 256 colours -- ubiquitous */
                i++;
                rgb_from_256(vc->vc_par[i], &c);
-       } else if (vc->vc_par[i] == 2 && i <= vc->vc_npar + 3) {
+       } else if (vc->vc_par[i] == 2 && i + 3 <= vc->vc_npar) {
                /* 24 bit -- extremely rare */
                c.r = vc->vc_par[i + 1];
                c.g = vc->vc_par[i + 2];