[lvc-project] [PATCH] HID: picolcd: prevent NULL pointer dereference in picolcd_send_and_wait()

Jiri Kosina jikos at kernel.org
Mon Jun 29 11:46:34 MSK 2026


On Sun, 17 May 2026, Georgiy Osokin wrote:

> In picolcd_send_and_wait(), an integer overflow of the signed loop counter
> 'k' can theoretically lead to a NULL pointer dereference of 'raw_data'.
> If the loop executes more than INT_MAX times, 'k' becomes negative,
> making the condition 'k < size' true even when 'size' is 0.
> 
> Change the type of 'k' to 'unsigned int' to prevent the overflow and
> eliminate the out-of-bounds access.
> 
> Found by Linux Verification Center (linuxtesting.org) with the Svace static
> analysis tool.
> 
> Fixes: fabdbf2 ("HID: picoLCD: split driver code")

Next time, please make the shas of commits a little bit longer to avoid 
uncertainity.

> Signed-off-by: Georgiy Osokin <g.osokin at auroraos.dev>

Applied, thanks!

-- 
Jiri Kosina
SUSE Labs




More information about the lvc-project mailing list