jalr/OpenRGB
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Validating user provided indexes in RGBController

Browse source 
When using the SDK Server, it was possible to provide indexes that would
later be used inside the various SetXDescription functions in
RGBController. This would result in possible out of bounds reads /
writes.

This is patched by checking the various indexes remain in bounds.
This commit is contained in:
B Horn 2020-07-10 20:13:11 +01:00 committed by Adam Honse
parent f02223d6ba
commit bb743c6b62
1 changed files with 33 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

34
RGBController/RGBController.cpp
View file

@ -894,6 +894,14 @@ void RGBController::SetModeDescription(unsigned char* data_buf)
memcpy(&mode_idx, &data_buf[data_ptr], sizeof(int));
data_ptr += sizeof(int);
/*---------------------------------------------------------*\
| Check if we aren't reading beyond the list of modes. |
\*---------------------------------------------------------*/
if(((size_t) mode_idx) > modes.size())
{
return;
}
/*---------------------------------------------------------*\
| Get pointer to target mode |
\*---------------------------------------------------------*/
@ -1049,6 +1057,14 @@ void RGBController::SetColorDescription(unsigned char* data_buf)
memcpy(&num_colors, &data_buf[data_ptr], sizeof(unsigned short));
data_ptr += sizeof(unsigned short);
/*---------------------------------------------------------*\
| Check if we aren't reading beyond the list of colors. |
\*---------------------------------------------------------*/
if(((size_t) num_colors) > colors.size())
{
return;
}
/*---------------------------------------------------------*\
| Copy in colors |
\*---------------------------------------------------------*/
@ -1130,6 +1146,14 @@ void RGBController::SetZoneColorDescription(unsigned char* data_buf)
memcpy(&zone_idx, &data_buf[data_ptr], sizeof(zone_idx));
data_ptr += sizeof(zone_idx);
/*---------------------------------------------------------*\
| Check if we aren't reading beyond the list of zones. |
\*---------------------------------------------------------*/
if(((size_t) zone_idx) > zones.size())
{
return;
}
/*---------------------------------------------------------*\
| Copy in number of colors (data) |
\*---------------------------------------------------------*/
@ -1184,12 +1208,20 @@ void RGBController::SetSingleLEDColorDescription(unsigned char* data_buf)
| RGBColor: LED color |
\*---------------------------------------------------------*/
int led_idx;
/*---------------------------------------------------------*\
| Copy in LED index |
\*---------------------------------------------------------*/
memcpy(&led_idx, &data_buf[0], sizeof(led_idx));
/*---------------------------------------------------------*\
| Check if we aren't reading beyond the list of leds. |
\*---------------------------------------------------------*/
if(((size_t) led_idx) > leds.size())
{
return;
}
/*---------------------------------------------------------*\
| Copy in LED color |
\*---------------------------------------------------------*/