OpenAnnePro / AnnePro2-Shine

Custom LED Matrix Firmware for Open Anne Pro 2 QMK Port
GNU General Public License v2.0
100 stars 51 forks source link

buffer overflow in function setLedKey #58

Open xidoo123 opened 8 months ago

xidoo123 commented 8 months ago

Description

In function setLedKey, it fails to check col properly

static inline void setLedKey(led_t *ledArray, const message_t *msg) {
  uint8_t row = msg->payload[0];
  uint8_t col = msg->payload[1];
  led_t color = {.p.blue = msg->payload[2],
                 .p.green = msg->payload[3],
                 .p.red = msg->payload[4],
                 .p.alpha = msg->payload[5]};
  naiveDimLed(&color);
  if (row < NUM_ROW && col <= NUM_COLUMN)   <--- oob 
    setKeyColor(&ledArray[ROWCOL2IDX(row, col)], color.rgb);
}

This leads to data corruption when setKeyColor trying to write ledArray at an out-of-bound offset, potentially causing DoS/RCE.

Fix

change col <= NUM_COLUMN to col < NUM_COLUMN

Codetector1374 commented 8 months ago

Thanks for the catch, do you want to open a PR and I can approve it? Else I can draft a quick patch to fix it

xidoo123 commented 8 months ago

Hi, #59 should fix all the bugs mentioned in #57 and #58