RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 19:37:35 +00:00
Code Issues Activity Actions

Kernel: Fix possible buffer overrun when scanning a MappedROM

Browse source 
If the length of the prefix was less than the chunk_size argument
we were potentionally reading past the mapped memory region.
This commit is contained in:
Tom 2022-01-02 16:25:08 -07:00 committed by Linus Groh
parent e70aa690d2
commit 190572b714
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
Kernel/Memory/MappedROM.h
View file

@ -23,7 +23,10 @@ public:
Optional<PhysicalAddress> find_chunk_starting_with(StringView prefix, size_t chunk_size) const Optional<PhysicalAddress> find_chunk_starting_with(StringView prefix, size_t chunk_size) const
{ {
for (auto* candidate = base(); candidate < end(); candidate += chunk_size) { auto prefix_length = prefix.length();
if (size < prefix_length)
return {};
for (auto* candidate = base(); candidate <= end() - prefix_length; candidate += chunk_size) {
if (!__builtin_memcmp(prefix.characters_without_null_termination(), candidate, prefix.length())) if (!__builtin_memcmp(prefix.characters_without_null_termination(), candidate, prefix.length()))
return paddr_of(candidate); return paddr_of(candidate);
} }