Re: [PATCH] HID: picolcd: prevent NULL pointer dereference in picolcd_send_and_wait()
From: Jiri Kosina
Date: Mon Jun 29 2026 - 04:50:47 EST
On Sun, 17 May 2026, Georgiy Osokin wrote:
> In picolcd_send_and_wait(), an integer overflow of the signed loop counter
> 'k' can theoretically lead to a NULL pointer dereference of 'raw_data'.
> If the loop executes more than INT_MAX times, 'k' becomes negative,
> making the condition 'k < size' true even when 'size' is 0.
>
> Change the type of 'k' to 'unsigned int' to prevent the overflow and
> eliminate the out-of-bounds access.
>
> Found by Linux Verification Center (linuxtesting.org) with the Svace static
> analysis tool.
>
> Fixes: fabdbf2 ("HID: picoLCD: split driver code")
Next time, please make the shas of commits a little bit longer to avoid
uncertainity.
> Signed-off-by: Georgiy Osokin <g.osokin@xxxxxxxxxxxx>
Applied, thanks!
--
Jiri Kosina
SUSE Labs