From patchwork Thu Apr 28 19:53:11 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anatolij Gustschin X-Patchwork-Id: 93284 X-Patchwork-Delegate: agust@denx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from theia.denx.de (theia.denx.de [85.214.87.163]) by ozlabs.org (Postfix) with ESMTP id AD5FEB6F4F for ; Fri, 29 Apr 2011 05:53:05 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 1177328082; Thu, 28 Apr 2011 21:53:04 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HaCFAzeZwxmX; Thu, 28 Apr 2011 21:53:03 +0200 (CEST) Received: from theia.denx.de (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 65FA828083; Thu, 28 Apr 2011 21:53:01 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 8532928083 for ; Thu, 28 Apr 2011 21:52:58 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0LNvshBUaxru for ; Thu, 28 Apr 2011 21:52:56 +0200 (CEST) X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested) Received: from mail-out.m-online.net (mail-out.m-online.net [212.18.0.10]) by theia.denx.de (Postfix) with ESMTP id 0879028082 for ; Thu, 28 Apr 2011 21:52:54 +0200 (CEST) Received: from frontend1.mail.m-online.net (frontend1.mail.intern.m-online.net [192.168.8.180]) by mail-out.m-online.net (Postfix) with ESMTP id B73AC180077E for ; Thu, 28 Apr 2011 21:52:53 +0200 (CEST) X-Auth-Info: UUz71hoBOwkL9fTvFMkqlUFL7+jXrb3p7NC4pV2SMuY= Received: from localhost (p4FDE7D8B.dip.t-dialin.net [79.222.125.139]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.mnet-online.de (Postfix) with ESMTPSA id 9AFD61C000AB for ; Thu, 28 Apr 2011 21:52:53 +0200 (CEST) From: Anatolij Gustschin To: u-boot@lists.denx.de Date: Thu, 28 Apr 2011 21:53:11 +0200 Message-Id: <1304020391-30141-1-git-send-email-agust@denx.de> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1298131531-857-1-git-send-email-agust@denx.de> References: <1298131531-857-1-git-send-email-agust@denx.de> Subject: [U-Boot] [PATCH v2] cfb_console: fix RLE bitmap drawing code X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.9 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: u-boot-bounces@lists.denx.de Errors-To: u-boot-bounces@lists.denx.de There seems to be tools producing incorrect 'end of bitmap data' markers '0100' in a RLE bitmap. Drawing such bitmaps can result in overwriting memory above the frame buffer. E.g. on MPC5121e based boards this memory can contain U-Boot environment. We may not rely on the correct end of bitmap data marker 0001 only, but also have to check whether we are going to draw a valid frame buffer scan line. The patch provides a fix by maintaining a pixel counter which is incremented by the amount of pixels we are going to draw. If the counter exceeds frame buffer pixels limit we stop the drawing with the error message. Reported-by: Michael Weiss Signed-off-by: Anatolij Gustschin Tested-by: Anatolij Gustschin --- drivers/video/cfb_console.c | 19 +++++++++++++++---- 1 files changed, 15 insertions(+), 4 deletions(-) diff --git a/drivers/video/cfb_console.c b/drivers/video/cfb_console.c index dd849c2..b427c84 100644 --- a/drivers/video/cfb_console.c +++ b/drivers/video/cfb_console.c @@ -882,6 +882,8 @@ static int display_rle8_bitmap (bmp_image_t *img, int xoff, int yoff, struct palette p[256]; bmp_color_table_entry_t cte; int green_shift, red_off; + int limit = VIDEO_COLS * VIDEO_ROWS; + int pixels = 0; x = 0; y = __le32_to_cpu(img->header.height) - 1; @@ -962,6 +964,10 @@ static int display_rle8_bitmap (bmp_image_t *img, int xoff, int yoff, /* unencoded run */ cnt = bm[1]; runlen = cnt; + pixels += cnt; + if (pixels > limit) + goto error; + bm += 2; if (y < height) { if (x >= width) { @@ -970,7 +976,6 @@ static int display_rle8_bitmap (bmp_image_t *img, int xoff, int yoff, } if (x + runlen > width) cnt = width - x; - draw_bitmap (&fbp, bm, p, cnt, 0); x += runlen; } @@ -982,9 +987,13 @@ next_run: break; default: /* encoded run */ + cnt = bm[0]; + runlen = cnt; + pixels += cnt; + if (pixels > limit) + goto error; + if (y < height) { /* only draw into visible area */ - cnt = bm[0]; - runlen = cnt; if (x >= width) { x += runlen; bm += 2; @@ -992,7 +1001,6 @@ next_run: } if (x + runlen > width) cnt = width - x; - draw_bitmap (&fbp, bm, p, cnt, 1); x += runlen; } @@ -1001,6 +1009,9 @@ next_run: } } return 0; +error: + printf("Error: Too much encoded pixel data, validate your bitmap\n"); + return -1; } #endif