From 7bae13da36477ce451ef5975e0cf79dbe035b52c Mon Sep 17 00:00:00 2001
From: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Date: Tue, 2 May 2023 04:34:09 +0200
Subject: [PATCH] cli: avoid buffer overrun
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Invoking the sandbox with

    /u-boot -c ⧵0xef⧵0xbf⧵0xbd

results in a segmentation fault.

Function b_getch() retrieves a character from the input stream. This
character may be > 0x7f. If type char is signed, static_get() will
return a negative number and in parse_stream() we will use that
negative number as an index for array map[] resulting in a buffer
overflow.

Reported-by: Harry Lockyer <harry_lockyer@tutanota.com>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 common/cli_hush.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/cli_hush.c b/common/cli_hush.c
index 171069f5f4..cee87249bc 100644
--- a/common/cli_hush.c
+++ b/common/cli_hush.c
@@ -324,7 +324,7 @@ typedef struct {
 /* I can almost use ordinary FILE *.  Is open_memstream() universally
  * available?  Where is it documented? */
 struct in_str {
-	const char *p;
+	const unsigned char *p;
 #ifndef __U_BOOT__
 	char peek_buf[2];
 #endif
-- 
2.39.5