From 6dfede0806f387c6cf0dca8f5030f41592dd2bbb Mon Sep 17 00:00:00 2001
From: ZeroOne <42103354+zeroone-kr@users.noreply.github.com>
Date: Wed, 11 Oct 2023 14:01:09 +0900
Subject: [PATCH] fix lightware_laser_serial: prevent potential heap buffer
 overflow (#22202)

In the lightware_parser function, LW_PARSE_STATE2_GOT_DIGIT0 state can be repeated unexpectedly without proper parserbuf_index or state checking. This behavior will trigger a heap buffer overflow vulnerability by allowing to write some data. And the writable size is sizeof(unsigned).
---
 .../lightware_laser_serial/lightware_laser_serial.cpp        | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/drivers/distance_sensor/lightware_laser_serial/lightware_laser_serial.cpp b/src/drivers/distance_sensor/lightware_laser_serial/lightware_laser_serial.cpp
index f27636657f..648d5f649f 100644
--- a/src/drivers/distance_sensor/lightware_laser_serial/lightware_laser_serial.cpp
+++ b/src/drivers/distance_sensor/lightware_laser_serial/lightware_laser_serial.cpp
@@ -219,6 +219,11 @@ int LightwareLaserSerial::collect()
 
 	} else {
 		for (int i = 0; i < ret; i++) {
+			// Check for overflow
+			if (_linebuf_index >= sizeof(_linebuf)) {
+				_parse_state = LW_PARSE_STATE0_UNSYNC;
+			}
+
 			if (OK == lightware_parser(readbuf[i], _linebuf, &_linebuf_index, &_parse_state, &distance_m)) {
 				valid = true;
 			}