1. Patchew
  2. linux
  3. View series

[PATCH] speakup: Fix sizeof() vs ARRAY_SIZE() bug

Dan Carpenter posted 1 patch 1 year, 9 months ago 
drivers/accessibility/speakup/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] speakup: Fix sizeof() vs ARRAY_SIZE() bug
Posted by Dan Carpenter 1 year, 9 months ago 
The "buf" pointer is an array of u16 values.  This code should be
using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),
otherwise it can the still got out of bounds.

Fixes: c8d2f34ea96e ("speakup: Avoid crash on very long word")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/accessibility/speakup/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/accessibility/speakup/main.c b/drivers/accessibility/speakup/main.c
index 736c2eb8c0f3..f677ad2177c2 100644
--- a/drivers/accessibility/speakup/main.c
+++ b/drivers/accessibility/speakup/main.c
@@ -574,7 +574,7 @@ static u_long get_word(struct vc_data *vc)
 	}
 	attr_ch = get_char(vc, (u_short *)tmp_pos, &spk_attr);
 	buf[cnt++] = attr_ch;
-	while (tmpx < vc->vc_cols - 1 && cnt < sizeof(buf) - 1) {
+	while (tmpx < vc->vc_cols - 1 && cnt < ARRAY_SIZE(buf) - 1) {
 		tmp_pos += 2;
 		tmpx++;
 		ch = get_char(vc, (u_short *)tmp_pos, &temp);
-- 
2.43.0
Re: [PATCH] speakup: Fix sizeof() vs ARRAY_SIZE() bug
Posted by Samuel Thibault 1 year, 9 months ago 
Dan Carpenter, le lun. 15 avril 2024 14:02:23 +0300, a ecrit:
> The "buf" pointer is an array of u16 values.  This code should be
> using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),
> otherwise it can the still got out of bounds.
> 
> Fixes: c8d2f34ea96e ("speakup: Avoid crash on very long word")
> Cc: stable@vger.kernel.org
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org

Thanks!

> ---
>  drivers/accessibility/speakup/main.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/accessibility/speakup/main.c b/drivers/accessibility/speakup/main.c
> index 736c2eb8c0f3..f677ad2177c2 100644
> --- a/drivers/accessibility/speakup/main.c
> +++ b/drivers/accessibility/speakup/main.c
> @@ -574,7 +574,7 @@ static u_long get_word(struct vc_data *vc)
>  	}
>  	attr_ch = get_char(vc, (u_short *)tmp_pos, &spk_attr);
>  	buf[cnt++] = attr_ch;
> -	while (tmpx < vc->vc_cols - 1 && cnt < sizeof(buf) - 1) {
> +	while (tmpx < vc->vc_cols - 1 && cnt < ARRAY_SIZE(buf) - 1) {
>  		tmp_pos += 2;
>  		tmpx++;
>  		ch = get_char(vc, (u_short *)tmp_pos, &temp);
> -- 
> 2.43.0
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.