Invoking the sandbox with

/u-boot -c ⧵0xef⧵0xbf⧵0xbd

results in a segmentation fault.

Function b_getch() retrieves a character from the input stream. This character may be > 0x7f. If type char is signed, static_get() will return a negative number and in parse_stream() we will use that negative number as an index for array map[] resulting in a buffer overflow.

Reported-by: Harry Lockyer harry_lockyer@tutanota.com Signed-off-by: Heinrich Schuchardt heinrich.schuchardt@canonical.com --- common/cli_hush.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/cli_hush.c b/common/cli_hush.c index 1ad7a509df..77df42428b 100644 --- a/common/cli_hush.c +++ b/common/cli_hush.c @@ -324,7 +324,7 @@ typedef struct { /* I can almost use ordinary FILE *. Is open_memstream() universally * available? Where is it documented? */ struct in_str { - const char *p; + const unsigned char *p; #ifndef __U_BOOT__ char peek_buf[2]; #endif