]> git.dujemihanovic.xyz Git - u-boot.git/commitdiff
cfb_console: fix RLE bitmap drawing code
authorAnatolij Gustschin <agust@denx.de>
Mon, 21 Feb 2011 20:33:29 +0000 (21:33 +0100)
committerAnatolij Gustschin <agust@denx.de>
Thu, 28 Apr 2011 19:30:46 +0000 (21:30 +0200)
There seems to be tools producing incorrect 'end of bitmap data'
markers '0100' in a RLE bitmap. Drawing such bitmaps can result
in overwriting memory above the frame buffer. E.g. on MPC5121e
based boards this memory can contain U-Boot environment.

We may not rely on the correct end of bitmap data marker 0001
only, but also have to check whether we are going to draw a
valid frame buffer scan line.

The patch provides a fix by maintaining a pixel counter
which is incremented by the amount of pixels we are going
to draw. If the counter exceeds frame buffer pixels limit
we stop the drawing with the error message.

Reported-by: Michael Weiss <michael.weiss@ifm.com>
Signed-off-by: Anatolij Gustschin <agust@denx.de>
Tested-by: Anatolij Gustschin <agust@denx.de>
drivers/video/cfb_console.c

index dd849c2dc13207bae02c8a6479bfabe8085fe8f6..b427c84877c5fee9b3fbc925b0acaed3887f3e65 100644 (file)
@@ -882,6 +882,8 @@ static int display_rle8_bitmap (bmp_image_t *img, int xoff, int yoff,
        struct palette p[256];
        bmp_color_table_entry_t cte;
        int green_shift, red_off;
+       int limit = VIDEO_COLS * VIDEO_ROWS;
+       int pixels = 0;
 
        x = 0;
        y = __le32_to_cpu(img->header.height) - 1;
@@ -962,6 +964,10 @@ static int display_rle8_bitmap (bmp_image_t *img, int xoff, int yoff,
                                /* unencoded run */
                                cnt = bm[1];
                                runlen = cnt;
+                               pixels += cnt;
+                               if (pixels > limit)
+                                       goto error;
+
                                bm += 2;
                                if (y < height) {
                                        if (x >= width) {
@@ -970,7 +976,6 @@ static int display_rle8_bitmap (bmp_image_t *img, int xoff, int yoff,
                                        }
                                        if (x + runlen > width)
                                                cnt = width - x;
-
                                        draw_bitmap (&fbp, bm, p, cnt, 0);
                                        x += runlen;
                                }
@@ -982,9 +987,13 @@ next_run:
                        break;
                default:
                        /* encoded run */
+                       cnt = bm[0];
+                       runlen = cnt;
+                       pixels += cnt;
+                       if (pixels > limit)
+                               goto error;
+
                        if (y < height) { /* only draw into visible area */
-                               cnt = bm[0];
-                               runlen = cnt;
                                if (x >= width) {
                                        x += runlen;
                                        bm += 2;
@@ -992,7 +1001,6 @@ next_run:
                                }
                                if (x + runlen > width)
                                        cnt = width - x;
-
                                draw_bitmap (&fbp, bm, p, cnt, 1);
                                x += runlen;
                        }
@@ -1001,6 +1009,9 @@ next_run:
                }
        }
        return 0;
+error:
+       printf("Error: Too much encoded pixel data, validate your bitmap\n");
+       return -1;
 }
 #endif