From 0ac61bffa799ed4817ffd1079617ef6ac933a3f2 Mon Sep 17 00:00:00 2001
From: Teruaki Kawashima <teru@rockbox.org>
Date: Fri, 21 May 2010 13:30:21 +0000
Subject: avoid overflow in puts_scroll().

git-svn-id: svn://svn.rockbox.org/rockbox/trunk@26231 a1c6a512-1295-4272-9138-f99709370657
---
 firmware/drivers/lcd-bitmap-common.c | 6 ++++--
 firmware/drivers/lcd-charcell.c      | 9 ++++++---
 2 files changed, 10 insertions(+), 5 deletions(-)

(limited to 'firmware')

diff --git a/firmware/drivers/lcd-bitmap-common.c b/firmware/drivers/lcd-bitmap-common.c
index 1b31ee8a18..fba09cf06b 100644
--- a/firmware/drivers/lcd-bitmap-common.c
+++ b/firmware/drivers/lcd-bitmap-common.c
@@ -321,6 +321,7 @@ void LCDFN(puts_scroll_style_offset)(int x, int y, const unsigned char *string,
     struct scrollinfo* s;
     char *end;
     int w, h;
+    int len;
 
     if ((unsigned)y >= (unsigned)current_vp->height)
         return;
@@ -358,13 +359,14 @@ void LCDFN(puts_scroll_style_offset)(int x, int y, const unsigned char *string,
         s->bidir = false;
 
     if (!s->bidir) { /* add spaces if scrolling in the round */
-        strcat(s->line, "   ");
+        strlcat(s->line, "   ", sizeof s->line);
         /* get new width incl. spaces */
         s->width = LCDFN(getstringsize)(s->line, &w, &h);
     }
 
     end = strchr(s->line, '\0');
-    strlcpy(end, string, current_vp->width/2);
+    len = sizeof s->line - (end - s->line);
+    strlcpy(end, string, MIN(current_vp->width/2, len));
 
     s->vp = current_vp;
     s->y = y;
diff --git a/firmware/drivers/lcd-charcell.c b/firmware/drivers/lcd-charcell.c
index 36f1d26487..f928c19ecd 100644
--- a/firmware/drivers/lcd-charcell.c
+++ b/firmware/drivers/lcd-charcell.c
@@ -513,9 +513,10 @@ void lcd_puts_scroll_offset(int x, int y, const unsigned char *string,
     {
         /* prepare scroll line */
         char *end;
+        int count;
 
         memset(s->line, 0, sizeof s->line);
-        strcpy(s->line, string);
+        strlcpy(s->line, string, sizeof s->line);
 
         /* get width */
         s->len = utf8length(s->line);
@@ -531,13 +532,15 @@ void lcd_puts_scroll_offset(int x, int y, const unsigned char *string,
 
         if (!s->bidir)  /* add spaces if scrolling in the round */
         {
-            strcat(s->line, "   ");
+            strlcat(s->line, "   ", sizeof s->line);
             /* get new width incl. spaces */
             s->len += SCROLL_SPACING;
         }
 
         end = strchr(s->line, '\0');
-        strlcpy(end, string, utf8seek(s->line, current_vp->width));
+        len = sizeof s->line - (end - s->line);
+        count = utf8seek(s->line, current_vp->width);
+        strlcpy(end, string, MIN(count, len));
 
         s->vp = current_vp;
         s->y = y;
-- 
cgit