terminal: verify kernel-returned DRM events are not truncated

[elogind.git] / src / libsystemd-terminal / grdev-drm.c

diff --git a/src/libsystemd-terminal/grdev-drm.c b/src/libsystemd-terminal/grdev-drm.c
index 5c65c096dec2cdfb736f0963698a06057ec01d3c..5393ebf98880c0ae1338e22e32958602f251d411 100644 (file)
--- a/src/libsystemd-terminal/grdev-drm.c
+++ b/src/libsystemd-terminal/grdev-drm.c
@@ -2223,7 +2223,7 @@ static int grdrm_card_io_fn(sd_event_source *s, int fd, uint32_t revents, void *
                 for (i = 0; i < l; i += event->length) {
                         event = (void*)&buf[i];
 
-                        if (i + event->length > l) {
+                        if (i + (ssize_t)sizeof(*event) > l || i + (ssize_t)event->length > l) {
                                 log_debug("grdrm: %s/%s: truncated event", card->base.session->name, card->base.name);
                                 break;
                         }