From a7232ba06becbe0335ffce1c47c76a4dc2fc9408 Mon Sep 17 00:00:00 2001 From: arche8 Date: Mon, 10 Nov 2025 20:55:32 +0800 Subject: [PATCH] Fix Buffer Overflow Vulnerabilities in Firmata SYSEX Message Processing --- FirmataParser.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/FirmataParser.cpp b/FirmataParser.cpp index d402fdf0..2e379f1c 100644 --- a/FirmataParser.cpp +++ b/FirmataParser.cpp @@ -436,7 +436,8 @@ void FirmataParser::processSysexMessage(void) if ( 3 > sysexBytesRead ) { (*currentReportFirmwareCallback)(currentReportFirmwareCallbackContext, 0, 0, (const char *)NULL); } else { - const size_t end_of_string = (string_offset + decodeByteStream((sysexBytesRead - string_offset), &dataBuffer[string_offset])); + const size_t bytec = min(sysexBytesRead - string_offset, dataBufferSize - string_offset); + const size_t end_of_string = (string_offset + decodeByteStream(bytec, &dataBuffer[string_offset])); bufferDataAtPosition('\0', end_of_string); // NULL terminate the string (*currentReportFirmwareCallback)(currentReportFirmwareCallbackContext, (size_t)dataBuffer[major_version_offset], (size_t)dataBuffer[minor_version_offset], (const char *)&dataBuffer[string_offset]); } @@ -445,7 +446,8 @@ void FirmataParser::processSysexMessage(void) case STRING_DATA: if (currentStringCallback) { const size_t string_offset = 1; - const size_t end_of_string = (string_offset + decodeByteStream((sysexBytesRead - string_offset), &dataBuffer[string_offset])); + const size_t bytec = min(sysexBytesRead - string_offset, dataBufferSize - string_offset); + const size_t end_of_string = (string_offset + decodeByteStream(bytec, &dataBuffer[string_offset])); bufferDataAtPosition('\0', end_of_string); // NULL terminate the string (*currentStringCallback)(currentStringCallbackContext, (const char *)&dataBuffer[string_offset]); }