Message ID | 20180919171514.15540-1-xypron.glpk@gmx.de |
---|---|
State | Accepted |
Commit | 4b985e0035263b62d5a0cb9de42c87171892949f |
Headers | show |
Series | [U-Boot,1/1] dm: video: check bounds for column and row | expand |
On 19.09.18 19:15, Heinrich Schuchardt wrote: > CSI H can be used to position the cursor. The calling application may > specify a location that is beyond the limits of the screen. This may > lead to an illegal memory access. > > Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Reviewed-by: Alexander Graf <agraf@suse.de> I'll be happy to take this in via efi-next if nobody beats me to it, as it fixes a test failure we're not triggering otherwise. Alex > --- > drivers/video/vidconsole-uclass.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/drivers/video/vidconsole-uclass.c b/drivers/video/vidconsole-uclass.c > index f1d3ad3611..0c36a5de0a 100644 > --- a/drivers/video/vidconsole-uclass.c > +++ b/drivers/video/vidconsole-uclass.c > @@ -213,6 +213,14 @@ static void vidconsole_escape_char(struct udevice *dev, char ch) > s++; /* ; */ > s = parsenum(s, &col); > > + /* > + * Ensure we stay in the bounds of the screen. > + */ > + if (row >= priv->rows) > + row = priv->rows - 1; > + if (col >= priv->cols) > + col = priv->cols - 1; > + > priv->ycur = row * priv->y_charsize; > priv->xcur_frac = priv->xstart_frac + > VID_TO_POS(col * priv->x_charsize); >
On Wed, 19 Sep 2018 19:15:14 +0200 Heinrich Schuchardt xypron.glpk@gmx.de wrote: > CSI H can be used to position the cursor. The calling application may > specify a location that is beyond the limits of the screen. This may > lead to an illegal memory access. > > Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> > --- > drivers/video/vidconsole-uclass.c | 8 ++++++++ > 1 file changed, 8 insertions(+) Applied to u-boot-video/master, thanks! -- Anatolij
On Sun, 23 Sep 2018 13:35:16 +0200 Alexander Graf agraf@suse.de wrote: ... > I'll be happy to take this in via efi-next if nobody beats me to it, as > it fixes a test failure we're not triggering otherwise. I've applied this to video tree since later video patches depend on it. Thanks, -- Anatolij
diff --git a/drivers/video/vidconsole-uclass.c b/drivers/video/vidconsole-uclass.c index f1d3ad3611..0c36a5de0a 100644 --- a/drivers/video/vidconsole-uclass.c +++ b/drivers/video/vidconsole-uclass.c @@ -213,6 +213,14 @@ static void vidconsole_escape_char(struct udevice *dev, char ch) s++; /* ; */ s = parsenum(s, &col); + /* + * Ensure we stay in the bounds of the screen. + */ + if (row >= priv->rows) + row = priv->rows - 1; + if (col >= priv->cols) + col = priv->cols - 1; + priv->ycur = row * priv->y_charsize; priv->xcur_frac = priv->xstart_frac + VID_TO_POS(col * priv->x_charsize);
CSI H can be used to position the cursor. The calling application may specify a location that is beyond the limits of the screen. This may lead to an illegal memory access. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> --- drivers/video/vidconsole-uclass.c | 8 ++++++++ 1 file changed, 8 insertions(+)