From: Heinrich Schuchardt Date: Tue, 2 May 2023 02:34:09 +0000 (+0200) Subject: cli: avoid buffer overrun X-Git-Tag: v2025.01-rc5-pxa1908~950^2~25^2~7 X-Git-Url: http://git.dujemihanovic.xyz/img/static/%7B%7B%20%28.OutputFormats.Get?a=commitdiff_plain;h=7bae13da36477ce451ef5975e0cf79dbe035b52c;p=u-boot.git cli: avoid buffer overrun Invoking the sandbox with /u-boot -c ⧵0xef⧵0xbf⧵0xbd results in a segmentation fault. Function b_getch() retrieves a character from the input stream. This character may be > 0x7f. If type char is signed, static_get() will return a negative number and in parse_stream() we will use that negative number as an index for array map[] resulting in a buffer overflow. Reported-by: Harry Lockyer Signed-off-by: Heinrich Schuchardt Reviewed-by: Simon Glass --- diff --git a/common/cli_hush.c b/common/cli_hush.c index 171069f5f4..cee87249bc 100644 --- a/common/cli_hush.c +++ b/common/cli_hush.c @@ -324,7 +324,7 @@ typedef struct { /* I can almost use ordinary FILE *. Is open_memstream() universally * available? Where is it documented? */ struct in_str { - const char *p; + const unsigned char *p; #ifndef __U_BOOT__ char peek_buf[2]; #endif