diff mbox

[U-Boot] cfb_console: fix RLE bitmap drawing code

Message ID 1298131531-857-1-git-send-email-agust@denx.de
State Superseded
Delegated to: Anatolij Gustschin
Headers show

Commit Message

Anatolij Gustschin Feb. 19, 2011, 4:05 p.m. UTC 
There seems to be tools producing incorrect 'end of bitmap data'
markers '0100' in a RLE bitmap. Drawing such bitmaps can result
in overwriting memory above the frame buffer. E.g. on MPC5121e
based boards this memory can contain U-Boot environment.

We may not rely on the correct end of bitmap data marker 0001
only, but also have to check whether we are going to draw a
valid frame buffer scan line.

The patch provides a simple fix by checking the row index:
we finish the drawing if the row index becomes negative.

Reported-by: Michael Weiss <michael.weiss@ifm.com>
Signed-off-by: Anatolij Gustschin <agust@denx.de>
Tested-by: Anatolij Gustschin <agust@denx.de>
---
 drivers/video/cfb_console.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)
diff mbox

Patch

diff --git a/drivers/video/cfb_console.c b/drivers/video/cfb_console.c
index 3d047f2..599ebdb 100644
--- a/drivers/video/cfb_console.c
+++ b/drivers/video/cfb_console.c
@@ -938,7 +938,10 @@  static int display_rle8_bitmap (bmp_image_t *img, int xoff, int yoff,
 				/* scan line end marker */
 				bm += 2;
 				x = 0;
-				y--;
+				if (--y < 0) {
+					decode = 0;
+					continue;
+				}
 				fbp = (unsigned char *)
 					((unsigned int)video_fb_address +
 					 (((y + yoff) * VIDEO_COLS) +
@@ -952,6 +955,10 @@  static int display_rle8_bitmap (bmp_image_t *img, int xoff, int yoff,
 				/* run offset marker */
 				x += bm[2];
 				y -= bm[3];
+				if (y < 0) {
+					decode = 0;
+					continue;
+				}
 				fbp = (unsigned char *)
 					((unsigned int)video_fb_address +
 					 (((y + yoff) * VIDEO_COLS) +