summaryrefslogtreecommitdiff
blob: 1ce26c468e87db9d84d1823f3dbe0b3059fc2058 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
From 2dad7b9fc67a1d0bfbe520fbd821678b8f8cc7a8 Mon Sep 17 00:00:00 2001
From: "Christian W. Zuckschwerdt" <christian@zuckschwerdt.org>
Date: Mon, 24 Jan 2022 15:53:20 +0100
Subject: [PATCH] minor: Fix overflow in Clipsal-CMR113 and Somfy-IOHC reported
 by aug5t7

---
 src/devices/cmr113.c     | 4 ++--
 src/devices/somfy_iohc.c | 9 +++++----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/devices/cmr113.c b/src/devices/cmr113.c
index c85dfac56..19ec5d421 100644
--- a/src/devices/cmr113.c
+++ b/src/devices/cmr113.c
@@ -42,8 +42,8 @@ Kudos to Jon Oxer for decoding this stream and putting it here:
 
 */
 
-#define COMPARE_BITS 83
-#define COMPARE_BYTES (COMPARE_BITS/8)
+#define COMPARE_BITS  83
+#define COMPARE_BYTES ((COMPARE_BITS + 7) / 8)
 
 static int cmr113_decode(r_device *decoder, bitbuffer_t *bitbuffer)
 {
diff --git a/src/devices/somfy_iohc.c b/src/devices/somfy_iohc.c
index 906cae53e..2c88067b5 100644
--- a/src/devices/somfy_iohc.c
+++ b/src/devices/somfy_iohc.c
@@ -100,11 +100,12 @@ static int somfy_iohc_decode(r_device *decoder, bitbuffer_t *bitbuffer)
     if (bitbuffer->num_rows != 1)
         return DECODE_ABORT_EARLY;
 
-    int offset = bitbuffer_search(bitbuffer, 0, 0, preamble_pattern, 24) + 24;
-    if (offset >= bitbuffer->bits_per_row[0] - 19 * 10)
+    unsigned offset = bitbuffer_search(bitbuffer, 0, 0, preamble_pattern, 24) + 24;
+    if (offset + 19 * 10 >= bitbuffer->bits_per_row[0])
         return DECODE_ABORT_EARLY;
 
-    int num_bits = bitbuffer->bits_per_row[0] - offset;
+    unsigned num_bits = bitbuffer->bits_per_row[0] - offset;
+    num_bits = MIN(num_bits, sizeof (b) * 8);
 
     int len = extract_bytes_uart(bitbuffer->bb[0], offset, num_bits, b);
     if (len < 19)
@@ -120,7 +121,7 @@ static int somfy_iohc_decode(r_device *decoder, bitbuffer_t *bitbuffer)
     // calculate and verify checksum
     if (crc16lsb(b, len, 0x8408, 0x0000) != 0) // unreflected poly 0x1021
         return DECODE_FAIL_MIC;
-    bitrow_printf(b, len * 8, "%s: offset %d, num_bits %d, len %d, msg_len %d\n", __func__, offset, num_bits, len, msg_len);
+    bitrow_printf(b, len * 8, "%s: offset %u, num_bits %u, len %d, msg_len %d\n", __func__, offset, num_bits, len, msg_len);
 
     int msg_type = (b[0]);
     int dst_id   = ((unsigned)b[4] << 24) | (b[3] << 16) | (b[2] << 8) | (b[1]); // assume Little-Endian