Merge pull request #2939 from PwnVerse/patch-1

HiFiPhile · web-flow · commit 597446fbeab9 · 2025-01-22T23:48:57.000+01:00
Fix potential out of bounds access in msc_disk.c
diff --git a/examples/device/cdc_msc/src/msc_disk.c b/examples/device/cdc_msc/src/msc_disk.c
@@ -192,6 +192,9 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff
   // out of ramdisk
   if ( lba >= DISK_BLOCK_NUM ) return -1;
 
+  // Check for overflow of offset + bufsize
+  if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1;
+
   uint8_t const* addr = msc_disk[lba] + offset;
   memcpy(buffer, addr, bufsize);
 
diff --git a/examples/device/cdc_msc_freertos/src/msc_disk.c b/examples/device/cdc_msc_freertos/src/msc_disk.c
@@ -191,6 +191,8 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff
 
   // out of ramdisk
   if ( lba >= DISK_BLOCK_NUM ) return -1;
+  // Check for overflow of offset + bufsize
+  if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1;
 
   uint8_t const* addr = msc_disk[lba] + offset;
   memcpy(buffer, addr, bufsize);
