[U-Boot] Buffer overflow in driver/video/cfb_console.c

[Frédéric Nadeau]

Hi,

I found a buffer overflow
​ ​
in console_clear() which result in a system reset in my case.

F
​u​
nction console_clear_line() uses ">> 2" when calling memsetl.
​Function console_scrollup() ​
​
uses ">> 2"
​​
when calling memcpyl.
Function
​​
video_clear()
​uses
"/ size(int)"
​
​
when calling memsetl
​
.

​">> 2" could be replace by "/ size(int)" as in ​
​
video_clear().
I used ">> 2" strictly because console functions are written that way.

​CONSOLE_SIZE is expressed in byte(X * Y * bytes per pixel) and memsetl
uses int(4 bytes) as copy size. In n
​
console_clear(), this result in writing 4 times the buffer size.

Best regards
Frédéric Nadeau

diff --git a/drivers/video/cfb_console.c b/drivers/video/cfb_console.c
index a81affa..620935e 100644
--- a/drivers/video/cfb_console.c
+++ b/drivers/video/cfb_console.c
@@ -798,7 +798,7 @@ static void
​​
​​
console_clear(void)
                          bgx                   /* fill color */
        );
 #else
-       memsetl(CONSOLE_ROW_FIRST, CONSOLE_SIZE, bgx);
+       memsetl(CONSOLE_ROW_FIRST, CONSOLE_SIZE
​>> 2​
, bgx);
 #endif
 }