Hi,
On 29. 07. 20, 9:53, 张云海 wrote:
This patch dosen't fix the issue, the check should be in the loop.
The change of the VT sze is before vgacon_scrollback_update, not in the meantime.
Let's consider the following situation: suppose: vgacon_scrollback_cur->size is 65440 vgacon_scrollback_cur->tail is 64960 c->vc_size_row is 160 count is 5
Reset c->vc_size_row to 200 by VT_RESIZE, then call vgacon_scrollback_update.
This will pass the check, since (vgacon_scrollback_cur->tail + c->vc_size_row) is 65160 which is less then vgacon_scrollback_cur->size(65440).
However, in the 3rd iteration of the loop, vgacon_scrollback_cur->tail is update to 65360, the memcpy will overflow.
But the loop checks for the overflow: if (vgacon_scrollback_cur->tail >= vgacon_scrollback_cur->size) vgacon_scrollback_cur->tail = 0;
So the first 2 iterations would write to the end of the buffer and this 3rd one should have zeroed ->tail.
thanks,