[PATCH] speakup: Fix sizeof() vs ARRAY_SIZE() bug

From: Dan Carpenter
Date: Mon Apr 15 2024 - 07:03:12 EST

Next message: Fabio Aiuto: "Re: [PATCH v3 1/2] regulator: dt-bindings: pca9450: add PMIC_RST_B warm reset property"
Previous message: Yewon Choi: "net/smc: Buggy reordering scenario in smc socket"
Next in thread: Samuel Thibault: "Re: [PATCH] speakup: Fix sizeof() vs ARRAY_SIZE() bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The "buf" pointer is an array of u16 values. This code should be
using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),
otherwise it can the still got out of bounds.

Fixes: c8d2f34ea96e ("speakup: Avoid crash on very long word")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
drivers/accessibility/speakup/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/accessibility/speakup/main.c b/drivers/accessibility/speakup/main.c
index 736c2eb8c0f3..f677ad2177c2 100644
--- a/drivers/accessibility/speakup/main.c
+++ b/drivers/accessibility/speakup/main.c
@@ -574,7 +574,7 @@ static u_long get_word(struct vc_data *vc)
}
attr_ch = get_char(vc, (u_short *)tmp_pos, &spk_attr);
buf[cnt++] = attr_ch;
- while (tmpx < vc->vc_cols - 1 && cnt < sizeof(buf) - 1) {
+ while (tmpx < vc->vc_cols - 1 && cnt < ARRAY_SIZE(buf) - 1) {
tmp_pos += 2;
tmpx++;
ch = get_char(vc, (u_short *)tmp_pos, &temp);
--
2.43.0

Next message: Fabio Aiuto: "Re: [PATCH v3 1/2] regulator: dt-bindings: pca9450: add PMIC_RST_B warm reset property"
Previous message: Yewon Choi: "net/smc: Buggy reordering scenario in smc socket"
Next in thread: Samuel Thibault: "Re: [PATCH] speakup: Fix sizeof() vs ARRAY_SIZE() bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]