Kajus Posted April 25, 2019 Report Posted April 25, 2019 Hi, there's a bug in console scrollBuffer function, consider following scenario: gcw->buffer = 0x0000 gcw->buffer[0] = A gcw->buffer[1] = \n gcw->bufpos = 1 // Remove one line from the start ep = gcw->buffer+gcw->bufpos; for(p = gcw->buffer; p < ep && *p != '\n'; p++) { #if GWIN_CONSOLE_ESCSEQ if (*p == 27) ESCtoAttr(p[1], &gcw->startattr); #endif } // Was there a newline, if not delete everything. if (*p != '\n') { gcw->bufpos = 0; return; } // Delete the data dp = ++p - gcw->buffer; // Calculate the amount to to be removed gcw->bufpos -= dp; // Calculate the new size if (gcw->bufpos) memcpy(gcw->buffer, p, gcw->bufpos); // Move the rest of the dat ep becomes 0x0001, therefore for cycle exits with p = 0x0001, which is outside the used bufer area, but the if condition is found invalid as 0x0001 contains \n, dp becomes 2 and here's the bug: gcw->bufpos = bufpos - dp = 1 - 2 = overflow to very high number, memcpy overwrites huge area of memory and finally MCU crashes. I guess the if condition should be something like: if (*p == ep || *p != '\n')...
inmarket Posted May 7, 2019 Report Posted May 7, 2019 This is now fixed and in the repository. Thanks for finding it.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now