andy/tinyUSB
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Merge pull request #2939 from PwnVerse/patch-1

Browse Source 
Fix potential out of bounds access in msc_disk.c
This commit is contained in:
HiFiPhile
2025-01-22 23:48:57 +01:00
committed by GitHub
parent feb41eeceb 19d28a9d15
commit 597446fbea
2 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
examples/device/cdc_msc/src/msc_disk.c
View File

@@ -192,6 +192,9 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff
// out of ramdisk // out of ramdisk
if ( lba >= DISK_BLOCK_NUM ) return -1; if ( lba >= DISK_BLOCK_NUM ) return -1;
// Check for overflow of offset + bufsize
if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1;
uint8_t const* addr = msc_disk[lba] + offset; uint8_t const* addr = msc_disk[lba] + offset;
memcpy(buffer, addr, bufsize); memcpy(buffer, addr, bufsize);

2
examples/device/cdc_msc_freertos/src/msc_disk.c
View File

@@ -191,6 +191,8 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff
// out of ramdisk // out of ramdisk
if ( lba >= DISK_BLOCK_NUM ) return -1; if ( lba >= DISK_BLOCK_NUM ) return -1;
// Check for overflow of offset + bufsize
if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1;
uint8_t const* addr = msc_disk[lba] + offset; uint8_t const* addr = msc_disk[lba] + offset;
memcpy(buffer, addr, bufsize); memcpy(buffer, addr, bufsize);