Bug 9565

Summary: Truncated names on neofb
Product: Drivers Reporter: Marcio Buss (marciobuss)
Component: Video(Other)Assignee: drivers_video-other
Status: REJECTED WILL_NOT_FIX    
Severity: normal    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.23 Subsystem:
Regression: --- Bisected commit-id:

Description Marcio Buss 2007-12-14 14:47:33 UTC 
On file drivers/video/neofb.c it seems there are multiple buffer overrrun
errors involving "info->fix.id" For example, on line 2103 the statement

sprintf(info->fix.id, "MagicGraph 256XL+");

writes 18 bytes (including the terminator character) into info->fix.id,
yet fix.id is only 16 bytes long. Is there any catch here, or the programmer
did overlook the lenght of "id"?
Comment 1 Andrew Morton 2007-12-21 15:47:06 UTC 
I queued neofb-avoid-overwriting-fb_info-fields.patch to address this.
Comment 2 Pete Zaitcev 2008-02-05 16:46:51 UTC 
It is a correct patch w.r.to the overflow, but it produces truncated
names. I would rather see one which renames "MagicGraph 128V+" into
"MagicGr 128V+". An in any case snprintf is clearly an overkill where
strlcpy would do.
Comment 3 Alan 2008-09-22 10:45:28 UTC 
Changing title to reflect current bug