On 15.01.21 04:11, Yuezhang.Mo@sony.com wrote:
If both stop key and delay key are empty, the length of these keys is 0. The subtraction operation will cause the u_int type variable to overflow, will cause illegal memory access in key input loop.
This commit fixes this bug by using int type instead of u_init.
common/autoboot.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/common/autoboot.c b/common/autoboot.c index e628baffb8..61fb09f910 100644 --- a/common/autoboot.c +++ b/common/autoboot.c @@ -156,9 +156,9 @@ static int passwd_abort_key(uint64_t etime) };
char presskey[MAX_DELAY_STOP_STR];
- u_int presskey_len = 0;
- u_int presskey_max = 0;
- u_int i;
- int presskey_len = 0;
- int presskey_max = 0;
Both indices cannot be negative. So it is understandable that u_int was chosen. You could avoid the subtraction instead of changing the type:
-for (i = 0; i < presskey_max - 1; i++) +for (i = 0; i + 1 < presskey_max; i++)
Acked-by: Heinrich Schuchardt xypron.glpk@gmx.de
- int i;
# ifdef CONFIG_AUTOBOOT_DELAY_STR if (delaykey[0].str == NULL)