video: buffer overrun in TrueType console
authorHeinrich Schuchardt <xypron.glpk@gmx.de>
Sun, 28 Feb 2021 20:42:51 +0000 (21:42 +0100)
committerHeinrich Schuchardt <xypron.glpk@gmx.de>
Sun, 1 Aug 2021 13:45:11 +0000 (15:45 +0200)
When scrolling the TrueType console a buffer overrun occurs.

Fixes: a29b012037cc ("video: Add a console driver that uses TrueType fonts")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
drivers/video/console_truetype.c

index fa11b3bbefec98491b12428c5ce761a4d75f6f41..98427f4c618ccabf02115cfd393d79c9d604f61f 100644 (file)
@@ -128,38 +128,36 @@ static int console_truetype_set_row(struct udevice *dev, uint row, int clr)
        struct video_priv *vid_priv = dev_get_uclass_priv(dev->parent);
        struct console_tt_priv *priv = dev_get_priv(dev);
        void *end, *line;
-       int pixels = priv->font_size * vid_priv->line_length;
-       int i, ret;
+       int ret;
 
        line = vid_priv->fb + row * priv->font_size * vid_priv->line_length;
+       end = line + priv->font_size * vid_priv->line_length;
+
        switch (vid_priv->bpix) {
 #ifdef CONFIG_VIDEO_BPP8
        case VIDEO_BPP8: {
-               uint8_t *dst = line;
+               u8 *dst;
 
-               for (i = 0; i < pixels; i++)
-                       *dst++ = clr;
-               end = dst;
+               for (dst = line; dst < (u8 *)end; ++dst)
+                       *dst = clr;
                break;
        }
 #endif
 #ifdef CONFIG_VIDEO_BPP16
        case VIDEO_BPP16: {
-               uint16_t *dst = line;
+               u16 *dst = line;
 
-               for (i = 0; i < pixels; i++)
-                       *dst++ = clr;
-               end = dst;
+               for (dst = line; dst < (u16 *)end; ++dst)
+                       *dst = clr;
                break;
        }
 #endif
 #ifdef CONFIG_VIDEO_BPP32
        case VIDEO_BPP32: {
-               uint32_t *dst = line;
+               u32 *dst = line;
 
-               for (i = 0; i < pixels; i++)
-                       *dst++ = clr;
-               end = dst;
+               for (dst = line; dst < (u32 *)end; ++dst)
+                       *dst = clr;
                break;
        }
 #endif