Possible bug in dotstar.c pointer arithmetic

adafruit / Adafruit_DotStar_Pi

DotStar module for Python on Raspberry Pi

GNU General Public License v3.0

60 stars 30 forks source link

Possible bug in dotstar.c pointer arithmetic #4

Closed dtiller closed 9 years ago

dtiller commented 9 years ago

On line 349 or so, the LED index is checked against numLEDs, but it does not protect against negative numbers. The demo python script 'strandtest.py' that you supply explicitly calls this function with negative LED indices for variable 'i', which probably leads to some interesting (and out of bounds) pointer arithmetic on this line:

uint8_t ptr = &self->pixels[i \ 4 + 1];

Here's a patch.

349c349

< if(i < self->numLEDs) {

  if(i >=0 && i < self->numLEDs) {

PaintYourDragon commented 9 years ago

i and self->numLEDs are both unsigned. Passing a negative index (as in strandtest) 'wraps around' to an impossibly large positive index that gets clipped all the same (unless it's like negative billions, which isn't happening here). The i >=0 comparison will either get optimized out, or (depending on compiler flags) generate a warning.