From 8552a7282c6f923def6a4279bbae710a250c1b0a Mon Sep 17 00:00:00 2001
From: CTCaer <ctcaer@gmail.com>
Date: Fri, 17 Jan 2020 09:22:28 +0200
Subject: [PATCH] ini: Fix heap corruption caused by backlight option

Additionally, name all text size values so it doesn't happen again in the future.
---
 bootloader/config/config.c | 49 +++++++++++++++++++++-----------------
 1 file changed, 27 insertions(+), 22 deletions(-)

diff --git a/bootloader/config/config.c b/bootloader/config/config.c
index 24507ce..2bde7ae 100644
--- a/bootloader/config/config.c
+++ b/bootloader/config/config.c
@@ -285,10 +285,11 @@ void config_autoboot()
 	LIST_INIT(ini_sections);
 
 	u8 max_entries = 30;
+	u32 boot_text_size = 512;
 
 	ment_t *ments = (ment_t *)malloc(sizeof(ment_t) * (max_entries + 5));
 	u32 *boot_values = (u32 *)malloc(sizeof(u32) * max_entries);
-	char *boot_text = (char *)malloc(512 * max_entries);
+	char *boot_text = (char *)malloc(boot_text_size * max_entries);
 
 	for (u32 j = 0; j < max_entries; j++)
 		boot_values[j] = j;
@@ -334,12 +335,12 @@ void config_autoboot()
 					else
 					{
 						if (h_cfg.autoboot != (i - 4) || h_cfg.autoboot_list)
-							boot_text[(i - 4) * 512] = ' ';
+							boot_text[(i - 4) * boot_text_size] = ' ';
 
 						else
-							boot_text[(i - 4) * 512] = '*';
-						strcpy(boot_text + (i - 4) * 512 + 1, ini_sec->name);
-						ments[i].caption = &boot_text[(i - 4) * 512];
+							boot_text[(i - 4) * boot_text_size] = '*';
+						strcpy(boot_text + (i - 4) * boot_text_size + 1, ini_sec->name);
+						ments[i].caption = &boot_text[(i - 4) * boot_text_size];
 					}
 					ments[i].type = ini_sec->type;
 					ments[i].data = &boot_values[i - 4];
@@ -395,10 +396,11 @@ void config_bootdelay()
 	gfx_con_setpos(0, 0);
 
 	u32 delay_entries = 6;
+	u32 delay_text_size = 32;
 
 	ment_t *ments = (ment_t *)malloc(sizeof(ment_t) * (delay_entries + 3));
 	u32 *delay_values = (u32 *)malloc(sizeof(u32) * delay_entries);
-	char *delay_text = (char *)malloc(32 * delay_entries);
+	char *delay_text = (char *)malloc(delay_text_size * delay_entries);
 
 	for (u32 j = 0; j < delay_entries; j++)
 		delay_values[j] = j;
@@ -419,14 +421,14 @@ void config_bootdelay()
 	for (i = 1; i < delay_entries; i++)
 	{
 		if (h_cfg.bootwait != i)
-			delay_text[i * 32] = ' ';
+			delay_text[i * delay_text_size] = ' ';
 		else
-			delay_text[i * 32] = '*';
-		delay_text[i * 32 + 1] = i + '0';
-		strcpy(delay_text + i * 32 + 2, " seconds");
+			delay_text[i * delay_text_size] = '*';
+		delay_text[i * delay_text_size + 1] = i + '0';
+		strcpy(delay_text + i * delay_text_size + 2, " seconds");
 
 		ments[i + 2].type = MENT_DATA;
-		ments[i + 2].caption = delay_text + i * 32;
+		ments[i + 2].caption = delay_text + (i * delay_text_size);
 		ments[i + 2].data = &delay_values[i];
 	}
 
@@ -454,9 +456,11 @@ void config_verification()
 	gfx_clear_grey(0x1B);
 	gfx_con_setpos(0, 0);
 
+	u32 vr_text_size = 64;
+
 	ment_t *ments = (ment_t *)malloc(sizeof(ment_t) * 6);
 	u32 *vr_values = (u32 *)malloc(sizeof(u32) * 3);
-	char *vr_text = (char *)malloc(64 * 3);
+	char *vr_text = (char *)malloc(vr_text_size * 3);
 
 	for (u32 j = 0; j < 3; j++)
 	{
@@ -477,10 +481,10 @@ void config_verification()
 	for (u32 i = 0; i < 3; i++)
 	{
 		if (h_cfg.verification != i)
-			vr_text[64 * i] = ' ';
+			vr_text[vr_text_size * i] = ' ';
 		else
-			vr_text[64 * i] = '*';
-		ments[2 + i].caption = vr_text + (i * 64);
+			vr_text[vr_text_size * i] = '*';
+		ments[2 + i].caption = vr_text + (i * vr_text_size);
 	}
 
 	memset(&ments[5], 0, sizeof(ment_t));
@@ -507,11 +511,12 @@ void config_backlight()
 	gfx_clear_grey(0x1B);
 	gfx_con_setpos(0, 0);
 
+	u32 bri_text_size = 8;
 	u32 bri_entries = 11;
 
 	ment_t *ments = (ment_t *)malloc(sizeof(ment_t) * (bri_entries + 3));
 	u32 *bri_values = (u32 *)malloc(sizeof(u32) * bri_entries);
-	char *bri_text = (char *)malloc(8 * bri_entries);
+	char *bri_text = (char *)malloc(bri_text_size * bri_entries);
 
 	for (u32 j = 1; j < bri_entries; j++)
 		bri_values[j] = j * 10;
@@ -525,20 +530,20 @@ void config_backlight()
 	for (i = 1; i < bri_entries; i++)
 	{
 		if ((h_cfg.backlight / 20) != i)
-			bri_text[i * 32] = ' ';
+			bri_text[i * bri_text_size] = ' ';
 		else
-			bri_text[i * 32] = '*';
+			bri_text[i * bri_text_size] = '*';
 
 		if (i < 10)
 		{
-			bri_text[i * 32 + 1] = i + '0';
-			strcpy(bri_text + i * 32 + 2, "0%");
+			bri_text[i * bri_text_size + 1] = i + '0';
+			strcpy(bri_text + i * bri_text_size + 2, "0%");
 		}
 		else
-			strcpy(bri_text + i * 32 + 1, "100%");
+			strcpy(bri_text + i * bri_text_size + 1, "100%");
 
 		ments[i + 1].type = MENT_DATA;
-		ments[i + 1].caption = bri_text + i * 32;
+		ments[i + 1].caption = bri_text + (i * bri_text_size);
 		ments[i + 1].data = &bri_values[i];
 	}