From c178fa3260198debb6b9bac03436bfdc55ad74d5 Mon Sep 17 00:00:00 2001 From: Ville Juven Date: Wed, 13 Sep 2023 13:12:20 +0300 Subject: [PATCH] stdio/lib_libfread: Fix buffer overflow issue If the gulp size in the stdio buffer the remaining user buffer size it will: - Corrupt memory in dest (user memory) and - Keep corrupting KERNEL memory via the stdio character buffer until the whole system crashes, as the 'remaining' count underflows This patch fixes this behavior. --- libs/libc/stdio/lib_libfread_unlocked.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libs/libc/stdio/lib_libfread_unlocked.c b/libs/libc/stdio/lib_libfread_unlocked.c index 5e56f126d9..1fb26b798d 100644 --- a/libs/libc/stdio/lib_libfread_unlocked.c +++ b/libs/libc/stdio/lib_libfread_unlocked.c @@ -126,11 +126,11 @@ ssize_t lib_fread_unlocked(FAR void *ptr, size_t count, FAR FILE *stream) if (gulp_size > 0) { - if (gulp_size > count) + if (gulp_size > remaining) { /* Clip the gulp size to the requested byte count */ - gulp_size = count; + gulp_size = remaining; } memcpy(dest, stream->fs_bufpos, gulp_size);