Message ID | 1304020391-30141-1-git-send-email-agust@denx.de |
---|---|
State | Accepted |
Commit | 74446b63dd4ec386fc5de554d5c4a3536096072f |
Delegated to: | Anatolij Gustschin |
Headers | show |
On Thu, 28 Apr 2011 21:53:11 +0200 Anatolij Gustschin <agust@denx.de> wrote: > There seems to be tools producing incorrect 'end of bitmap data' > markers '0100' in a RLE bitmap. Drawing such bitmaps can result > in overwriting memory above the frame buffer. E.g. on MPC5121e > based boards this memory can contain U-Boot environment. > > We may not rely on the correct end of bitmap data marker 0001 > only, but also have to check whether we are going to draw a > valid frame buffer scan line. > > The patch provides a fix by maintaining a pixel counter > which is incremented by the amount of pixels we are going > to draw. If the counter exceeds frame buffer pixels limit > we stop the drawing with the error message. > > Reported-by: Michael Weiss <michael.weiss@ifm.com> > Signed-off-by: Anatolij Gustschin <agust@denx.de> > Tested-by: Anatolij Gustschin <agust@denx.de> > --- > drivers/video/cfb_console.c | 19 +++++++++++++++---- > 1 files changed, 15 insertions(+), 4 deletions(-) applied to u-boot-video/master.
diff --git a/drivers/video/cfb_console.c b/drivers/video/cfb_console.c index dd849c2..b427c84 100644 --- a/drivers/video/cfb_console.c +++ b/drivers/video/cfb_console.c @@ -882,6 +882,8 @@ static int display_rle8_bitmap (bmp_image_t *img, int xoff, int yoff, struct palette p[256]; bmp_color_table_entry_t cte; int green_shift, red_off; + int limit = VIDEO_COLS * VIDEO_ROWS; + int pixels = 0; x = 0; y = __le32_to_cpu(img->header.height) - 1; @@ -962,6 +964,10 @@ static int display_rle8_bitmap (bmp_image_t *img, int xoff, int yoff, /* unencoded run */ cnt = bm[1]; runlen = cnt; + pixels += cnt; + if (pixels > limit) + goto error; + bm += 2; if (y < height) { if (x >= width) { @@ -970,7 +976,6 @@ static int display_rle8_bitmap (bmp_image_t *img, int xoff, int yoff, } if (x + runlen > width) cnt = width - x; - draw_bitmap (&fbp, bm, p, cnt, 0); x += runlen; } @@ -982,9 +987,13 @@ next_run: break; default: /* encoded run */ + cnt = bm[0]; + runlen = cnt; + pixels += cnt; + if (pixels > limit) + goto error; + if (y < height) { /* only draw into visible area */ - cnt = bm[0]; - runlen = cnt; if (x >= width) { x += runlen; bm += 2; @@ -992,7 +1001,6 @@ next_run: } if (x + runlen > width) cnt = width - x; - draw_bitmap (&fbp, bm, p, cnt, 1); x += runlen; } @@ -1001,6 +1009,9 @@ next_run: } } return 0; +error: + printf("Error: Too much encoded pixel data, validate your bitmap\n"); + return -1; } #endif