speakup: Fix sizeof() vs ARRAY_SIZE() bug

commit 008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b upstream. The "buf" pointer is an array of u16 values. This code should be using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512), otherwise it can the still got out of bounds. Fixes: c8d2f34ea96e ("speakup: Avoid crash on very long word") Cc: [email protected] Signed-off-by: Dan Carpenter <[email protected]> Reviewed-by: Samuel Thibault <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
AXP-OS · Aug 20, 2024 · b1a0b2e · b1a0b2e
1 parent 2d7f41c
commit b1a0b2e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/drivers/accessibility/speakup/main.c b/drivers/accessibility/speakup/main.c
@@ -576,7 +576,7 @@ static u_long get_word(struct vc_data *vc)
 	}
 	attr_ch = get_char(vc, (u_short *)tmp_pos, &spk_attr);
 	buf[cnt++] = attr_ch;
-	while (tmpx < vc->vc_cols - 1 && cnt < sizeof(buf) - 1) {
+	while (tmpx < vc->vc_cols - 1 && cnt < ARRAY_SIZE(buf) - 1) {
 		tmp_pos += 2;
 		tmpx++;
 		ch = get_char(vc, (u_short *)tmp_pos, &temp);