diff options
| author | Dan Carpenter <dan.carpenter@linaro.org> | 2024-04-15 14:02:23 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-06-12 11:02:55 +0200 |
| commit | 3726f75a1ccc16cd335c0ccfad1d92ee08ecba5e (patch) | |
| tree | d2f6c01d4f3aa2aad55df3326db69f42ef9724b0 /drivers/accessibility | |
| parent | 8a6e6b1644e9c2f8b11882ee928a2a92bc81b332 (diff) | |
| download | linux-3726f75a1ccc16cd335c0ccfad1d92ee08ecba5e.tar.gz linux-3726f75a1ccc16cd335c0ccfad1d92ee08ecba5e.tar.bz2 linux-3726f75a1ccc16cd335c0ccfad1d92ee08ecba5e.zip | |
speakup: Fix sizeof() vs ARRAY_SIZE() bug
commit 008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b upstream.
The "buf" pointer is an array of u16 values. This code should be
using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),
otherwise it can the still got out of bounds.
Fixes: c8d2f34ea96e ("speakup: Avoid crash on very long word")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Link: https://lore.kernel.org/r/d16f67d2-fd0a-4d45-adac-75ddd11001aa@moroto.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/accessibility')
| -rw-r--r-- | drivers/accessibility/speakup/main.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/accessibility/speakup/main.c b/drivers/accessibility/speakup/main.c index 45d906f17ea3..10aa9c2ec400 100644 --- a/drivers/accessibility/speakup/main.c +++ b/drivers/accessibility/speakup/main.c @@ -573,7 +573,7 @@ static u_long get_word(struct vc_data *vc) } attr_ch = get_char(vc, (u_short *)tmp_pos, &spk_attr); buf[cnt++] = attr_ch; - while (tmpx < vc->vc_cols - 1 && cnt < sizeof(buf) - 1) { + while (tmpx < vc->vc_cols - 1 && cnt < ARRAY_SIZE(buf) - 1) { tmp_pos += 2; tmpx++; ch = get_char(vc, (u_short *)tmp_pos, &temp); |