Closed matteodelabre closed 2 years ago
There is a buffer overread in the following call to msgsnd: https://github.com/canselcik/libremarkable/blob/b146c390af05f5e69529e0ee5c635767e2e8b1e8/src/framebuffer/swtfb_client.rs#L125
msgsnd
As per the man page, the msgsz argument (third argument) should not include the size of the mtype field, only of the data field, so currently this call will read 4 extra bytes from memory and send them to the server.
msgsz
(Related to ddvk/remarkable2-framebuffer#89.)
There is a buffer overread in the following call to
msgsnd: https://github.com/canselcik/libremarkable/blob/b146c390af05f5e69529e0ee5c635767e2e8b1e8/src/framebuffer/swtfb_client.rs#L125As per the man page, the
msgszargument (third argument) should not include the size of the mtype field, only of the data field, so currently this call will read 4 extra bytes from memory and send them to the server.(Related to ddvk/remarkable2-framebuffer#89.)