| Message ID | 5F9CDB8A.9000001@huawei.com |
|---|---|
| State | New |
| Headers | show |
| Series | [V2] hw/display/omap_lcdc: Fix potential NULL pointer dereference | expand |
On Sat, 31 Oct 2020 at 03:35, AlexChen <alex.chen@huawei.com> wrote: > > In omap_lcd_interrupts(), the pointer omap_lcd is dereferinced before > being check if it is valid, which may lead to NULL pointer dereference. > So move the assignment to surface after checking that the omap_lcd is valid > and move surface_bits_per_pixel(surface) to after the surface assignment. > > Reported-by: Euler Robot <euler.robot@huawei.com> > Signed-off-by: AlexChen <alex.chen@huawei.com> > --- > hw/display/omap_lcdc.c | 10 +++++++--- > 1 file changed, 7 insertions(+), 3 deletions(-) Applied to target-arm.next, thanks. -- PMM
diff --git a/hw/display/omap_lcdc.c b/hw/display/omap_lcdc.c index fa4a381db6..58e659c94f 100644 --- a/hw/display/omap_lcdc.c +++ b/hw/display/omap_lcdc.c @@ -78,14 +78,18 @@ static void omap_lcd_interrupts(struct omap_lcd_panel_s *s) static void omap_update_display(void *opaque) { struct omap_lcd_panel_s *omap_lcd = (struct omap_lcd_panel_s *) opaque; - DisplaySurface *surface = qemu_console_surface(omap_lcd->con); + DisplaySurface *surface; draw_line_func draw_line; int size, height, first, last; int width, linesize, step, bpp, frame_offset; hwaddr frame_base; - if (!omap_lcd || omap_lcd->plm == 1 || !omap_lcd->enable || - !surface_bits_per_pixel(surface)) { + if (!omap_lcd || omap_lcd->plm == 1 || !omap_lcd->enable) { + return; + } + + surface = qemu_console_surface(omap_lcd->con); + if (!surface_bits_per_pixel(surface)) { return; }
In omap_lcd_interrupts(), the pointer omap_lcd is dereferinced before being check if it is valid, which may lead to NULL pointer dereference. So move the assignment to surface after checking that the omap_lcd is valid and move surface_bits_per_pixel(surface) to after the surface assignment. Reported-by: Euler Robot <euler.robot@huawei.com> Signed-off-by: AlexChen <alex.chen@huawei.com> --- hw/display/omap_lcdc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)