diff options
| author | William Wilgus <me.theuser@yahoo.com> | 2018-12-13 10:39:49 -0600 |
|---|---|---|
| committer | William Wilgus <me.theuser@yahoo.com> | 2018-12-14 01:28:17 -0600 |
| commit | 3f110daf3032187c052a6e3c1b05d01d1a4582d0 (patch) | |
| tree | d2fcb43e9010dd7f5b414b68d23448dfcccd8513 /apps/tree.h | |
| parent | ce0b31d87db3c4c1c1bfb535c50770d33e9c4aaf (diff) | |
| download | rockbox-3f110daf3032187c052a6e3c1b05d01d1a4582d0.tar.gz rockbox-3f110daf3032187c052a6e3c1b05d01d1a4582d0.tar.bz2 rockbox-3f110daf3032187c052a6e3c1b05d01d1a4582d0.zip | |
Fix tree.c->tree_get_entry_at() buffer overflow
I observed a crash on buflib>move_block
after dumping ram I noticed that the buffer for filetypes was being corrupted
tree_get_entry_at returns a entry from the buflib 'tree entry' buffer
filetree.c->ft_load writes data to this buffer before checking if it has
reached the last entry resulting in buffer overflow that overwrites the
next entry in the buffer ['filetypes']
Patch checks that the index passed to tree_get_entry_at() is in range
otherwise it returns NULL
Added checks + panic in other functions using tree_get_entry_at()
Fixed tree_lock_cache() calls in playlist and filetree
Change-Id: Ibf9e65652b4e00445e8e509629aebbcddffcfd4d
Diffstat (limited to 'apps/tree.h')
| -rw-r--r-- | apps/tree.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/apps/tree.h b/apps/tree.h index 77dc5da1b4..c70ae8dac1 100644 --- a/apps/tree.h +++ b/apps/tree.h @@ -105,7 +105,9 @@ struct tree_context { /* * Call one of the two below after yields since the entrys may move inbetween */ struct entry* tree_get_entries(struct tree_context *t); +/* returns NULL on invalid index */ struct entry* tree_get_entry_at(struct tree_context *t, int index); + void tree_mem_init(void) INIT_ATTR; void tree_gui_init(void) INIT_ATTR; char* get_current_file(char* buffer, size_t buffer_len); |