AnnePro2-Shine icon indicating copy to clipboard operation
AnnePro2-Shine copied to clipboard

Published 20 hours ago verified publisher icon OpenAnnePro

buffer overflow in function setLedKey

Open xidoo123 opened this issue 1 year ago • 2 comments

Description

In function setLedKey, it fails to check col properly

static inline void setLedKey(led_t *ledArray, const message_t *msg) {
  uint8_t row = msg->payload[0];
  uint8_t col = msg->payload[1];
  led_t color = {.p.blue = msg->payload[2],
                 .p.green = msg->payload[3],
                 .p.red = msg->payload[4],
                 .p.alpha = msg->payload[5]};
  naiveDimLed(&color);
  if (row < NUM_ROW && col <= NUM_COLUMN)   <--- oob 
    setKeyColor(&ledArray[ROWCOL2IDX(row, col)], color.rgb);
}

This leads to data corruption when setKeyColor trying to write ledArray at an out-of-bound offset, potentially causing DoS/RCE.

Fix

change col <= NUM_COLUMN to col < NUM_COLUMN

xidoo123 avatar Feb 06 '24 00:02 xidoo123

Thanks for the catch, do you want to open a PR and I can approve it? Else I can draft a quick patch to fix it

Codetector1374 avatar Feb 06 '24 02:02 Codetector1374

Hi, #59 should fix all the bugs mentioned in #57 and #58

xidoo123 avatar Feb 06 '24 09:02 xidoo123