Jump to content

Recommended Posts

Posted

Hi,

there's a bug in console scrollBuffer function, consider following scenario:
gcw->buffer = 0x0000
gcw->buffer[0] = A
gcw->buffer[1] = \n
gcw->bufpos = 1
 

		// Remove one line from the start
		ep = gcw->buffer+gcw->bufpos;
		for(p = gcw->buffer; p < ep && *p != '\n'; p++) {
			#if GWIN_CONSOLE_ESCSEQ
				if (*p == 27)
					ESCtoAttr(p[1], &gcw->startattr);
			#endif
		}

		// Was there a newline, if not delete everything.
		if (*p != '\n') {
			gcw->bufpos = 0;
			return;
		}

		// Delete the data
		dp = ++p - gcw->buffer;						// Calculate the amount to to be removed
		gcw->bufpos -= dp;							// Calculate the new size
		if (gcw->bufpos)
			memcpy(gcw->buffer, p, gcw->bufpos);	// Move the rest of the dat

 

ep becomes 0x0001, therefore for cycle exits with p = 0x0001, which is outside the used bufer area, but the if condition is found invalid as 0x0001 contains \n, dp becomes 2 and here's the bug: gcw->bufpos = bufpos - dp = 1 - 2 = overflow to very high number, memcpy overwrites huge area of memory and finally MCU crashes.

I guess the if condition should be something like:
if (*p == ep || *p != '\n')...

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...