bugfix: gigantic OSD configurations can blow through buffer

bri3d · bri3d · commit 7e0f047f2ab6 · 2022-07-11T13:57:36.000-06:00
diff --git a/msp_displayport_mux.c b/msp_displayport_mux.c
@@ -24,11 +24,10 @@ typedef struct msp_cache_entry_s {
 
 static msp_cache_entry_t *msp_message_cache[256]; // make a slot for all possible messages
 
-static uint8_t frame_buffer[4196]; // buffer a whole frame of MSP commands until we get a draw command
+static uint8_t frame_buffer[8192]; // buffer a whole frame of MSP commands until we get a draw command
 static uint32_t fb_cursor = 0;
 
-static uint8_t rx_message_buffer[256]; // only needs to be the maximum size of an MSP packet, we only care to fwd MSP
-static uint8_t tx_message_buffer[256];
+static uint8_t message_buffer[256]; // only needs to be the maximum size of an MSP packet, we only care to fwd MSP
 
 int pty_fd;
 int serial_fd;
@@ -94,9 +93,10 @@ static void rx_msp_callback(msp_msg_t *msp_message)
         // This was an MSP DisplayPort message, so buffer it until we get a whole frame.
         if(fb_cursor > sizeof(frame_buffer)) {
             printf("Exhausted frame buffer!\n");
+            return;
         }
-        uint16_t size = msp_data_from_msg(rx_message_buffer, msp_message);
-        memcpy(&frame_buffer[fb_cursor], rx_message_buffer, size);
+        uint16_t size = msp_data_from_msg(message_buffer, msp_message);
+        memcpy(&frame_buffer[fb_cursor], message_buffer, size);
         fb_cursor += size;
         if(msp_message->payload[0] == 4) {
             // Once we have a whole frame of data, send it to the goggles.
@@ -105,21 +105,21 @@ static void rx_msp_callback(msp_msg_t *msp_message)
             fb_cursor = 0;
         }
     } else {
-        uint16_t size = msp_data_from_msg(rx_message_buffer, msp_message);
+        uint16_t size = msp_data_from_msg(message_buffer, msp_message);
         // This isn't an MSP DisplayPort message, so send it to either DJI directly or to the cache.
         if(serial_passthrough) {
-            write(pty_fd, rx_message_buffer, size);
+            write(pty_fd, message_buffer, size);
         } else {
             // Serial passthrough is off, so cache the response we got.
             if(cache_msp_message(msp_message)) {
                 // 1 -> cache miss, so this message expired or hasn't been seen.
                 // this means DJI is waiting for it, so send it over
                 DEBUG_PRINT("DJI was waiting, got msg %d\n", msp_message->cmd);
                 for (int i = 0; i < size; i++) {
-                    DEBUG_PRINT("%02X ", rx_message_buffer[i]);
+                    DEBUG_PRINT("%02X ", message_buffer[i]);
                 }
                 DEBUG_PRINT("\n");
-                write(pty_fd, rx_message_buffer, size);
+                write(pty_fd, message_buffer, size);
             }
         }
     }
@@ -143,8 +143,8 @@ static void tx_msp_callback(msp_msg_t *msp_message)
     } else {
         // cache miss, so write the DJI request to serial and wait for the FC to come back.
         DEBUG_PRINT("DJI->FC MSP CACHE MISS msg %d\n",msp_message->cmd);
-        uint16_t size = msp_data_from_msg(tx_message_buffer, msp_message);
-        write(serial_fd, tx_message_buffer, size);
+        uint16_t size = msp_data_from_msg(message_buffer, msp_message);
+        write(serial_fd, message_buffer, size);
     }
 }
 
@@ -169,7 +169,7 @@ int main(int argc, char *argv[]) {
     }
   
     if((argc - optind) < 2) {
-        printf("usage: msp_displayport_mux [-f] [-s] [-p] ipaddr serial_port [pty_target]\n-s : enable serial caching\n-f : 230400 baud serial\n");
+        printf("usage: msp_displayport_mux [-f] [-s] ipaddr serial_port [pty_target]\n-s : enable serial caching\n-f : 230400 baud serial\n");
         return 0;
     }
 
diff --git a/osd_dji_udp.c b/osd_dji_udp.c
@@ -46,6 +46,10 @@
 #define SDCARD_FONT_PATH "/storage/sdcard0/font.bin"
 #define FONT_FILE_SIZE 1990656
 
+#define EV_CODE_BACK 0xc9
+
+#define BACK_BUTTON_DELAY 4
+
 #ifdef DEBUG
 #define DEBUG_PRINT(fmt, args...)    fprintf(stderr, fmt, ## args)
 #else
@@ -222,7 +226,7 @@ int main(int argc, char *argv[])
             start_display(is_v2_goggles);
             display_mode = DISPLAY_RUNNING;
         }
-        if(button_start.tv_sec > 0 && ((now.tv_sec - button_start.tv_sec) > 4)) {
+        if(button_start.tv_sec > 0 && ((now.tv_sec - button_start.tv_sec) > BACK_BUTTON_DELAY)) {
             // We held the back button down for 5 seconds.
             memset(&button_start, 0, sizeof(button_start));
             if (display_mode == DISPLAY_DISABLED) {
@@ -248,7 +252,7 @@ int main(int argc, char *argv[])
 
         if(poll_fds[1].revents) {
             read(event_fd, &ev, sizeof(struct input_event));
-            if(ev.code == 0xc9) {
+            if(ev.code == EV_CODE_BACK) {
                 if(ev.value == 1) {
                     clock_gettime(CLOCK_MONOTONIC, &button_start);
                 } else {
