From 59976557b8dc1fdf45c37b49f785b3526017f67c Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Wed, 11 Mar 2020 10:32:29 +0100
Subject: video: omap2: Use scnprintf() for avoiding potential buffer overflow
Git-commit: 42f21e5452a24d205dcc029be4075b8be07f2ac0
Patch-mainline: v5.8-rc1
References: jsc#SLE-12680, jsc#SLE-12880, jsc#SLE-12882, jsc#SLE-12883, jsc#SLE-13496, jsc#SLE-15322
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200311093230.24900-3-tiwai@suse.de
Signed-off-by: Patrik Jakobsson <pjakobsson@suse.de>
---
drivers/video/fbdev/omap2/omapfb/omapfb-sysfs.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-sysfs.c b/drivers/video/fbdev/omap2/omapfb/omapfb-sysfs.c
index 4a5db170ef59..2d39dbfa742e 100644
--- a/drivers/video/fbdev/omap2/omapfb/omapfb-sysfs.c
+++ b/drivers/video/fbdev/omap2/omapfb/omapfb-sysfs.c
@@ -147,11 +147,11 @@ static ssize_t show_overlays(struct device *dev,
if (ovl == fbdev->overlays[ovlnum])
break;
- l += snprintf(buf + l, PAGE_SIZE - l, "%s%d",
+ l += scnprintf(buf + l, PAGE_SIZE - l, "%s%d",
t == 0 ? "" : ",", ovlnum);
}
- l += snprintf(buf + l, PAGE_SIZE - l, "\n");
+ l += scnprintf(buf + l, PAGE_SIZE - l, "\n");
omapfb_unlock(fbdev);
unlock_fb_info(fbi);
@@ -328,11 +328,11 @@ static ssize_t show_overlays_rotate(struct device *dev,
lock_fb_info(fbi);
for (t = 0; t < ofbi->num_overlays; t++) {
- l += snprintf(buf + l, PAGE_SIZE - l, "%s%d",
+ l += scnprintf(buf + l, PAGE_SIZE - l, "%s%d",
t == 0 ? "" : ",", ofbi->rotation[t]);
}
- l += snprintf(buf + l, PAGE_SIZE - l, "\n");
+ l += scnprintf(buf + l, PAGE_SIZE - l, "\n");
unlock_fb_info(fbi);
--
2.28.0