From: Heinrich Schuchardt <xypron.glpk@gmx.de>
Date: Wed, 19 Sep 2018 17:15:14 +0000 (+0200)
Subject: dm: video: check bounds for column and row
X-Git-Tag: v2025.01-rc5-pxa1908~3516^2~7
X-Git-Url: http://git.dujemihanovic.xyz/html/static/git-favicon.png?a=commitdiff_plain;h=4b985e0035263b62d5a0cb9de42c87171892949f;p=u-boot.git

dm: video: check bounds for column and row

CSI H can be used to position the cursor. The calling application may
specify a location that is beyond the limits of the screen. This may
lead to an illegal memory access.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
---

diff --git a/drivers/video/vidconsole-uclass.c b/drivers/video/vidconsole-uclass.c
index f1d3ad3611..0c36a5de0a 100644
--- a/drivers/video/vidconsole-uclass.c
+++ b/drivers/video/vidconsole-uclass.c
@@ -213,6 +213,14 @@ static void vidconsole_escape_char(struct udevice *dev, char ch)
 		s++;    /* ; */
 		s = parsenum(s, &col);
 
+		/*
+		 * Ensure we stay in the bounds of the screen.
+		 */
+		if (row >= priv->rows)
+			row = priv->rows - 1;
+		if (col >= priv->cols)
+			col = priv->cols - 1;
+
 		priv->ycur = row * priv->y_charsize;
 		priv->xcur_frac = priv->xstart_frac +
 			VID_TO_POS(col * priv->x_charsize);