Open xidoo123 opened 8 months ago
In function setLedKey, it fails to check col properly
setLedKey
col
static inline void setLedKey(led_t *ledArray, const message_t *msg) { uint8_t row = msg->payload[0]; uint8_t col = msg->payload[1]; led_t color = {.p.blue = msg->payload[2], .p.green = msg->payload[3], .p.red = msg->payload[4], .p.alpha = msg->payload[5]}; naiveDimLed(&color); if (row < NUM_ROW && col <= NUM_COLUMN) <--- oob setKeyColor(&ledArray[ROWCOL2IDX(row, col)], color.rgb); }
This leads to data corruption when setKeyColor trying to write ledArray at an out-of-bound offset, potentially causing DoS/RCE.
setKeyColor
ledArray
change col <= NUM_COLUMN to col < NUM_COLUMN
col <= NUM_COLUMN
col < NUM_COLUMN
Thanks for the catch, do you want to open a PR and I can approve it? Else I can draft a quick patch to fix it
Hi, #59 should fix all the bugs mentioned in #57 and #58
Description
In function
setLedKey
, it fails to checkcol
properlyThis leads to data corruption when
setKeyColor
trying to writeledArray
at an out-of-bound offset, potentially causing DoS/RCE.Fix
change
col <= NUM_COLUMN
tocol < NUM_COLUMN