From 77fb7a388a2e0cab5926b96dcae0db440cd54eee Mon Sep 17 00:00:00 2001
From: Hagen Fritsch <fritsch+git@in.tum.de>
Date: Thu, 11 Aug 2011 11:53:07 +0200
Subject: [PATCH] fix buffer overflow in font handler

---
 firmware/lcd/render.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/firmware/lcd/render.c b/firmware/lcd/render.c
index c98b147..37f0110 100644
--- a/firmware/lcd/render.c
+++ b/firmware/lcd/render.c
@@ -223,7 +223,9 @@ int DoChar(int sx, int sy, int c){
                 _getFontData(SEEK_DATA,toff);
                 UINT res;
                 UINT readbytes;
-                res = f_read(&file, charBuf, width*height, &readbytes);
+                UINT size = width * height;
+                if(size > MAXCHR) size = MAXCHR;
+                res = f_read(&file, charBuf, size, &readbytes);
                 if(res != FR_OK || readbytes<width*height)
                     return sx;
                 data=charBuf;
@@ -252,7 +254,9 @@ int DoChar(int sx, int sy, int c){
                     postblank = read_byte ();
                     width-=3;
                     width/=height;
-                    res = f_read(&file, charBuf, width*height, &readbytes);
+                    UINT size = width * height;
+                    if(size > MAXCHR) size = MAXCHR;
+                    res = f_read(&file, charBuf, size, &readbytes);
                     if(res != FR_OK || readbytes<width*height)
                         return sx;
                     data=charBuf;