psplash.c: fix crash from length becoming negative

If there is an error in read(), it returns -1 but this is just added to
length without checking first. This can lead to a runaway negative
value for length which eventually crashes when memchr() is called with the
negative value.

The fix is to check the return from read() first and handle the error
state.

[YOCTO #14806]

Signed-off-by: Chris Moore <cmoore@hanoverdisplays.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

psplash.c

@@ -140,6 +140,7 @@ psplash_main (PSplashFB *fb, int pipe_fd, int timeout)
 {
   int            err;
   ssize_t        length = 0;
+  ssize_t        ret = 0;
   fd_set         descriptors;
   struct timeval tv;
   char          *end;
@@ -170,15 +171,16 @@ psplash_main (PSplashFB *fb, int pipe_fd, int timeout)
 	  return;
 	}
       
-      length += read (pipe_fd, end, sizeof(command) - (end - command));
+      ret = read (pipe_fd, end, sizeof(command) - (end - command));
 
-      if (length == 0) 
+      if (ret <= 0)
 	{
 	  /* Reopen to see if there's anything more for us */
 	  close(pipe_fd);
 	  pipe_fd = open(PSPLASH_FIFO,O_RDONLY|O_NONBLOCK);
 	  goto out;
 	}
+      length += ret;
 
       cmd = command;
       do {