Commit ce6c3d59 authored by Dan Carpenter's avatar Dan Carpenter Committed by Chen Ridong
Browse files

speakup: Fix sizeof() vs ARRAY_SIZE() bug 

stable inclusion
from stable-v4.19.316
commit 42f0a3f67158ed6b2908d2b9ffbf7e96d23fd358
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SI7
CVE: CVE-2024-38587

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=42f0a3f67158ed6b2908d2b9ffbf7e96d23fd358



----------------------------------------------------------------------

commit 008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b upstream.

The "buf" pointer is an array of u16 values.  This code should be
using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),
otherwise it can the still got out of bounds.

Fixes: c3b12fcb ("speakup: Avoid crash on very long word")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: default avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
Link: https://lore.kernel.org/r/d16f67d2-fd0a-4d45-adac-75ddd11001aa@moroto.mountain


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarChen Ridong <chenridong@huawei.com>
parent 4842b09d
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment