Jump to content

Bug in Console scrollBuffer

Recommended Posts


there's a bug in console scrollBuffer function, consider following scenario:
gcw->buffer = 0x0000
gcw->buffer[0] = A
gcw->buffer[1] = \n
gcw->bufpos = 1

		// Remove one line from the start
		ep = gcw->buffer+gcw->bufpos;
		for(p = gcw->buffer; p < ep && *p != '\n'; p++) {
				if (*p == 27)
					ESCtoAttr(p[1], &gcw->startattr);

		// Was there a newline, if not delete everything.
		if (*p != '\n') {
			gcw->bufpos = 0;

		// Delete the data
		dp = ++p - gcw->buffer;						// Calculate the amount to to be removed
		gcw->bufpos -= dp;							// Calculate the new size
		if (gcw->bufpos)
			memcpy(gcw->buffer, p, gcw->bufpos);	// Move the rest of the dat


ep becomes 0x0001, therefore for cycle exits with p = 0x0001, which is outside the used bufer area, but the if condition is found invalid as 0x0001 contains \n, dp becomes 2 and here's the bug: gcw->bufpos = bufpos - dp = 1 - 2 = overflow to very high number, memcpy overwrites huge area of memory and finally MCU crashes.

I guess the if condition should be something like:
if (*p == ep || *p != '\n')...

Link to post
Share on other sites
  • 2 weeks later...
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...