From patchwork Thu Aug 16 14:55:03 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?b?VmlsbGUgU3lyasOkbMOk?=
 <ville.syrjala@linux.intel.com>
X-Patchwork-Id: 1333151
Return-Path: 
 <dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org>
X-Original-To: patchwork-dri-devel@patchwork.kernel.org
Delivered-To: patchwork-process-083081@patchwork1.kernel.org
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	by patchwork1.kernel.org (Postfix) with ESMTP id 70F863FC33
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Thu, 16 Aug 2012 14:55:35 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 50CF59F0BC
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Thu, 16 Aug 2012 07:55:34 -0700 (PDT)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
	by gabe.freedesktop.org (Postfix) with ESMTP id 1C5759F0BC
	for <dri-devel@lists.freedesktop.org>;
	Thu, 16 Aug 2012 07:55:23 -0700 (PDT)
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
	by fmsmga102.fm.intel.com with ESMTP; 16 Aug 2012 07:55:22 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="4.77,778,1336374000"; d="scan'208";a="202765112"
Received: from stinkbox.fi.intel.com (HELO stinkbox) ([10.237.72.168])
	by fmsmga001.fm.intel.com with SMTP; 16 Aug 2012 07:55:20 -0700
Received: by stinkbox (sSMTP sendmail emulation);
	Thu, 16 Aug 2012 17:55:20 +0300
From: ville.syrjala@linux.intel.com
To: dri-devel@lists.freedesktop.org
Subject: [PATCH 1/4] drm: edid: Add bounds checking to CEA 18 byte descriptor
	parsing
Date: Thu, 16 Aug 2012 17:55:03 +0300
Message-Id: <1345128906-17681-2-git-send-email-ville.syrjala@linux.intel.com>
X-Mailer: git-send-email 1.7.8.6
In-Reply-To: <1345128906-17681-1-git-send-email-ville.syrjala@linux.intel.com>
References: <1345128906-17681-1-git-send-email-ville.syrjala@linux.intel.com>
MIME-Version: 1.0
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Sender: 
 dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org
Errors-To: 
 dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org

From: Ville Syrjälä <ville.syrjala@linux.intel.com>

Make sure we don't access beyond the extension block when parsing CEA
detailed timing descriptors.

Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
---
 drivers/gpu/drm/drm_edid.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c
index 5873e48..a346b04 100644
--- a/drivers/gpu/drm/drm_edid.c
+++ b/drivers/gpu/drm/drm_edid.c
@@ -551,6 +551,9 @@ cea_for_each_detailed_block(u8 *ext, detailed_cb *cb, void *closure)
 	u8 d = ext[0x02];
 	u8 *det_base = ext + d;
 
+	if (d > 127)
+		return;
+
 	n = (127 - d) / 18;
 	for (i = 0; i < n; i++)
 		cb((struct detailed_timing *)(det_base + 18 * i), closure);