Accessing an element of array 'G->speeds' of size 10 at getty.c:165 can lead to a buffer overflow, since the index 'G->numspeed' can have an out of range value 10, as indicated by a preceding conditional expression at getty.c:170.
Signed-off-by: Maks Mishin <[email protected]> --- loginutils/getty.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/loginutils/getty.c b/loginutils/getty.c index 4581cc9f7..de364f322 100644 --- a/loginutils/getty.c +++ b/loginutils/getty.c @@ -167,7 +167,7 @@ static void parse_speeds(char *arg) bb_error_msg_and_die("bad speed: %s", cp); /* note: arg "0" turns into speed B0 */ G.numspeed++; - if (G.numspeed > MAX_SPEED) + if (G.numspeed == MAX_SPEED - 1) bb_simple_error_msg_and_die("too many alternate speeds"); } debug("exiting parse_speeds\n"); -- 2.30.2 _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
