Hi,
I found a buffer overflow
in console_clear() which result in a system reset in my case.
F
u
nction console_clear_line() uses ">> 2" when calling memsetl.
Function console_scrollup()
uses ">> 2"
when calling memcpyl.
Function
video_clear()
uses
"/ size(int)"
when calling memsetl
.
">> 2" could be replace by "/ size(int)" as in
video_clear().
I used ">> 2" strictly because console functions are written that way.
CONSOLE_SIZE is expressed in byte(X * Y * bytes per pixel) and memsetl
uses int(4 bytes) as copy size. In n
console_clear(), this result in writing 4 times the buffer size.
Best regards
Frédéric Nadeau
diff --git a/drivers/video/cfb_console.c b/drivers/video/cfb_console.c
index a81affa..620935e 100644
--- a/drivers/video/cfb_console.c
+++ b/drivers/video/cfb_console.c
@@ -798,7 +798,7 @@ static void
console_clear(void)
bgx /* fill color */
);
#else
- memsetl(CONSOLE_ROW_FIRST, CONSOLE_SIZE, bgx);
+ memsetl(CONSOLE_ROW_FIRST, CONSOLE_SIZE
>> 2
, bgx);
#endif
}
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
http://lists.denx.de/mailman/listinfo/u-boot
