u8g2 icon indicating copy to clipboard operation
u8g2 copied to clipboard
verified publisher icon olikraus

Potential Buffer Overflow in Linux Port: SendData Buffer Too Small

Open shlyakpavel opened this issue 10 months ago • 1 comments

Many display drivers assume that the SendData buffer can handle up to 256 bytes, as seen for example here:
https://github.com/olikraus/u8g2/blob/02c197524897d2c2ee191367b5c85f988e3a73ae/csrc/u8x8_d_uc1628.c#L127

However, the Linux port currently allocates only 128 bytes for this buffer:
https://github.com/olikraus/u8g2/blob/02c197524897d2c2ee191367b5c85f988e3a73ae/sys/arm-linux/port/u8g2port.h#L32

This mismatch can lead to a buffer overflow. In my case, it caused random application crashes, which I was able to track down using AddressSanitizer.

As a temporary workaround, I changed the buffer size to 256 bytes:

diff --git a/sys/arm-linux/port/u8g2port.h b/sys/arm-linux/port/u8g2port.h
index ea59fa933..b43367e26 100644
--- a/sys/arm-linux/port/u8g2port.h
+++ b/sys/arm-linux/port/u8g2port.h
@@ -29,7 +29,7 @@ struct user_data_struct {
        // Index into buffer
        uint8_t index;
        // Callback buffer, I2C should send 32 bytes max and SPI 128 bytes max
-       uint8_t buffer[128];
+       uint8_t buffer[256];
        // Nanosecond delay for U8X8_MSG_DELAY_I2C
        unsigned long delay;
        // SPI mode

I'm not certain if this is the ideal fix, and would greatly appreciate your feedback. If this direction makes sense, I'm happy to submit a proper PR to address the issue.

shlyakpavel avatar Jun 17 '25 10:06 shlyakpavel

Well... I didn't wrote that code, but I have increased the size. Thanks for the hint.

olikraus avatar Jun 17 '25 21:06 olikraus

but I have increased the size.

Thank you!

shlyakpavel avatar Jun 18 '25 09:06 shlyakpavel