static int grub_username_get(char buf[],unsigned buf_size)
{
unsigned cur_len=0;
int key;
while(1)
{
key=grub_getkey();
if(key=='\n'||key=='\r')
break;
if(key=='\e')
{
cur_len=0;
break;
}
if(key=='\b')//Does not checks underflows!!
{
cur_len--;//Integer underflow!!
grub_printf("\b");
continue;
}
if(!grub_isprint(key))
continue;
if(cur_len+2<buf_size)
{
buf[cur_len++]=key;//Off-by-two!!
grub_printf("%c",key);
}
}
grub_memset(buf+cur_len,0,buf_size-cur_len);//Out of bounds overwrite
grub_xputs("\n");
grub_refresh();
return (key!='\e');
}
深度解析原文地址:http://www.qingpingshan.com/pc/aq/34472.html