summaryrefslogtreecommitdiffstats
path: root/apps/gui/line.c
diff options
context:
space:
mode:
authorThomas Martitz <kugel@rockbox.org>2014-01-12 17:31:53 +0100
committerThomas Martitz <kugel@rockbox.org>2014-01-12 17:37:16 +0100
commit193911af760d460198fc7f08bf6da824f74975b7 (patch)
tree5cdb79ab1f3093ef8967d56a2e2f3ecfb0d2ff89 /apps/gui/line.c
parent3ae73433ab826c7a4f3c49b4d0a86fd9dc29a9cc (diff)
downloadrockbox-193911af760d460198fc7f08bf6da824f74975b7.tar.gz
rockbox-193911af760d460198fc7f08bf6da824f74975b7.tar.bz2
rockbox-193911af760d460198fc7f08bf6da824f74975b7.zip
put_line(): Fix buffer overflow.
At the end of the format string it wrote a last byte (or inline string) past the end of the lcd boundaries, potentially overwriting unrelated memory. It now makes sure it won't exceed the viewport's width. Change-Id: Id4cfce918e8b070b7fc3c7d33f389f7a171963ff
Diffstat (limited to 'apps/gui/line.c')
-rw-r--r--apps/gui/line.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/apps/gui/line.c b/apps/gui/line.c
index fd35102ab0..5e22d6da26 100644
--- a/apps/gui/line.c
+++ b/apps/gui/line.c
@@ -184,6 +184,7 @@ static void print_line(struct screen *display,
enum themable_icons icon;
char tempbuf[MAX_PATH+32];
unsigned int tempbuf_idx;
+ int max_width = display->getwidth();
height = line->height == -1 ? display->getcharheight() : line->height;
icon_h = get_icon_height(display->screen_type);
@@ -195,7 +196,7 @@ static void print_line(struct screen *display,
y += height/2 - display->getcharheight()/2;
/* parse format string */
- while (1)
+ while (xpos < max_width)
{
ch = *fmt++;
/* need to check for escaped '$' */
@@ -280,8 +281,9 @@ next:
DEBUGF("%s ", ch ? "put_line: String truncated" : "");
}
if (!ch)
- { /* end of string. put it online */
- put_text(display, xpos, y, line, tempbuf, false, 0);
+ { /* end of format string. flush pending inline string, if any */
+ if (tempbuf[0])
+ put_text(display, xpos, y, line, tempbuf, false, 0);
return;
}
else if (ch == '$')