From 5c431b14de9cfbb54ea93b876afc31a1e3305913 Mon Sep 17 00:00:00 2001
From: "Carsten Haitzler (Rasterman)" <raster@rasterman.com>
Date: Thu, 9 Feb 2017 17:03:49 +0900
Subject: [PATCH] evas fb dev env var - allow in setuid processes with
 sanitizing

this allows only /dev/fb[0-0] or /dev/fb/something where somthing does
not begin with a . - thus no way to break out of the fb subdir... so
it should be ok... this keeps setuid safety and allows this env var to
work now as intended in this situation.
---
 src/lib/ecore_fb/ecore_fb.c                | 14 +++++++-------
 src/modules/evas/engines/fb/evas_fb_main.c | 13 ++++++-------
 2 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/src/lib/ecore_fb/ecore_fb.c b/src/lib/ecore_fb/ecore_fb.c
index d11225e79f..0d90242d0b 100644
--- a/src/lib/ecore_fb/ecore_fb.c
+++ b/src/lib/ecore_fb/ecore_fb.c
@@ -120,16 +120,16 @@ _ecore_fb_size_get(const char *name, int *w, int *h)
 {
    struct fb_var_screeninfo fb_var;
    int fb;
+   const char *s;
 
-   if (
-#if defined(HAVE_GETUID) && defined(HAVE_GETEUID)
-       (getuid() == geteuid()) &&
-#endif
-       (getenv("EVAS_FB_DEV")))
+   if ((s = getenv("EVAS_FB_DEV")) &&
+       (((!strncmp(s, "/dev/fb", 7)) &&
+         ((s[7] >= '0' && s[7] <= '9') || (s[7] == 0))) ||
+           ((!strncmp(s, "/dev/fb/", 8)) && (s[8] != '.'))))
      {
-        fb = open(getenv("EVAS_FB_DEV"), O_RDWR);
+        fb = open(s, O_RDWR);
         if (fb < 0)
-          fprintf(stderr, "[ecore_fb] error opening $EVAS_FB_DEV=%s: %s\n", getenv("EVAS_FB_DEV"), strerror(errno));
+          fprintf(stderr, "[ecore_fb] error opening $EVAS_FB_DEV=%s: %s\n", s, strerror(errno));
      }
    else
      {
diff --git a/src/modules/evas/engines/fb/evas_fb_main.c b/src/modules/evas/engines/fb/evas_fb_main.c
index aab4147b4b..5690c83801 100644
--- a/src/modules/evas/engines/fb/evas_fb_main.c
+++ b/src/modules/evas/engines/fb/evas_fb_main.c
@@ -766,7 +766,7 @@ void
 fb_init(int vt EINA_UNUSED, int device)
 {
    char dev[PATH_MAX];
-   
+   const char *s;
 
    DBG("device=%d, $EVAS_FB_DEV=%s", device, getenv("EVAS_FB_DEV"));
    tty = -1;
@@ -774,13 +774,12 @@ fb_init(int vt EINA_UNUSED, int device)
    if (vt != 0) fb_setvt(vt);
 #endif
 
-   if (
-#if defined(HAVE_GETUID) && defined(HAVE_GETEUID)
-       (getuid() == geteuid()) &&
-#endif
-       (getenv("EVAS_FB_DEV")))
+   if ((s = getenv("EVAS_FB_DEV")) &&
+       (((!strncmp(s, "/dev/fb", 7)) &&
+         ((s[7] >= '0' && s[7] <= '9') || (s[7] == 0))) ||
+           ((!strncmp(s, "/dev/fb/", 8)) && (s[8] != '.'))))
      {
-        eina_strlcpy(dev, getenv("EVAS_FB_DEV"), sizeof(dev));
+        eina_strlcpy(dev, s, sizeof(dev));
         fb = open(dev, O_RDWR);
      }
    else