diff mbox series

[1/1] video: buffer overrun in TrueType console

Message ID 20210228205413.1088-1-xypron.glpk@gmx.de
State Under Review
Delegated to: Anatolij Gustschin
Headers show
Series [1/1] video: buffer overrun in TrueType console | expand

Commit Message

Heinrich Schuchardt Feb. 28, 2021, 8:54 p.m. UTC
When scrolling the TrueType console a buffer overrun occurs.

Fixes: a29b012037cc ("video: Add a console driver that uses TrueType fonts")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
 drivers/video/console_truetype.c | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

--
2.30.1

Comments

Simon Glass March 3, 2021, 1:54 a.m. UTC | #1
On Sun, 28 Feb 2021 at 13:54, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:
>
> When scrolling the TrueType console a buffer overrun occurs.
>
> Fixes: a29b012037cc ("video: Add a console driver that uses TrueType fonts")
> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
> ---
>  drivers/video/console_truetype.c | 26 ++++++++++++--------------
>  1 file changed, 12 insertions(+), 14 deletions(-)

Reviewed-by: Simon Glass <sjg@chromium.org>
diff mbox series

Patch

diff --git a/drivers/video/console_truetype.c b/drivers/video/console_truetype.c
index b9d467ac90..6d40be6482 100644
--- a/drivers/video/console_truetype.c
+++ b/drivers/video/console_truetype.c
@@ -128,38 +128,36 @@  static int console_truetype_set_row(struct udevice *dev, uint row, int clr)
 	struct video_priv *vid_priv = dev_get_uclass_priv(dev->parent);
 	struct console_tt_priv *priv = dev_get_priv(dev);
 	void *end, *line;
-	int pixels = priv->font_size * vid_priv->line_length;
-	int i, ret;
+	int ret;

 	line = vid_priv->fb + row * priv->font_size * vid_priv->line_length;
+	end = line + priv->font_size * vid_priv->line_length;
+
 	switch (vid_priv->bpix) {
 #ifdef CONFIG_VIDEO_BPP8
 	case VIDEO_BPP8: {
-		uint8_t *dst = line;
+		u8 *dst;

-		for (i = 0; i < pixels; i++)
-			*dst++ = clr;
-		end = dst;
+		for (dst = line; dst < (u8 *)end; ++dst)
+			*dst = clr;
 		break;
 	}
 #endif
 #ifdef CONFIG_VIDEO_BPP16
 	case VIDEO_BPP16: {
-		uint16_t *dst = line;
+		u16 *dst = line;

-		for (i = 0; i < pixels; i++)
-			*dst++ = clr;
-		end = dst;
+		for (dst = line; dst < (u16 *)end; ++dst)
+			*dst = clr;
 		break;
 	}
 #endif
 #ifdef CONFIG_VIDEO_BPP32
 	case VIDEO_BPP32: {
-		uint32_t *dst = line;
+		u32 *dst = line;

-		for (i = 0; i < pixels; i++)
-			*dst++ = clr;
-		end = dst;
+		for (dst = line; dst < (u32 *)end; ++dst)
+			*dst = clr;
 		break;
 	}
 #endif