From: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
To: Christian Schmidt <schmidt@digadd.de>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] Fix wrong assumptions in cea_for_each_detailed_block
Date: Thu, 1 Mar 2012 13:57:41 +0200 [thread overview]
Message-ID: <20120301115741.GU3592@intel.com> (raw)
In-Reply-To: <20120301115301.GT3592@intel.com>
On Thu, Mar 01, 2012 at 01:53:01PM +0200, Ville Syrjälä wrote:
> On Sun, Nov 13, 2011 at 02:04:54AM +0100, Christian Schmidt wrote:
> > The current logic misunderstands the spec about CEA 18byte descriptors.
> > First, the spec doesn't state "detailed timing descriptors" but "18 byte
> > descriptors", so any data record could be stored, mixed timings and
> > other data, just as in the standard EDID.
> > Second, the lower four bit of byte 3 of the CEA record do not contain
> > the number of descriptors, but "the total number of DTDs defining native
> > formats in the whole EDID [...], starting with the first DTD in the DTD
> > list (which starts in the base EDID block)." A device can of course
> > support non-native formats.
> >
> > As such the number can't be used to determine n, and the existing code
> > will filter non-timing 18byte descriptors anyway.
> >
> > Signed-off-by: Christian Schmidt <schmidt@digadd,de>
>
> > diff -ur linux-3.2-rc1.orig/drivers/gpu/drm/drm_edid.c linux-3.2-rc1/drivers/gpu/drm/drm_edid.c
> > --- linux-3.2-rc1.orig/drivers/gpu/drm/drm_edid.c 2011-11-13 01:42:29.771092473 +0100
> > +++ linux-3.2-rc1/drivers/gpu/drm/drm_edid.c 2011-11-13 01:54:32.031062983 +0100
> > @@ -511,22 +511,7 @@
> > u8 rev = ext[0x01], d = ext[0x02];
> > u8 *det_base = ext + d;
> >
> > - switch (rev) {
> > - case 0:
> > - /* can't happen */
> > - return;
> > - case 1:
> > - /* have to infer how many blocks we have, check pixel clock */
> > - for (i = 0; i < 6; i++)
> > - if (det_base[18*i] || det_base[18*i+1])
> > - n++;
> > - break;
> > - default:
> > - /* explicit count */
> > - n = min(ext[0x03] & 0x0f, 6);
> > - break;
> > - }
> > -
> > + n = (127 - d) / 18;
> > for (i = 0; i < n; i++)
> > cb((struct detailed_timing *)(det_base + 18 * i), closure);
> > }
>
> I just stumbled on this same thing when looking at some internal patch.
>
> Looks good, except you should also check that 'd' is less than 127.
> I do wonder how may other unchecked buffer accesses there are in the
> EDID code...
Ah, didn't realize this was in already. I was looking at an older tree.
I'll send a patch to do the bounds checking...
--
Ville Syrjälä
Intel OTC
prev parent reply other threads:[~2012-03-01 11:50 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-13 1:04 [PATCH] Fix wrong assumptions in cea_for_each_detailed_block Christian Schmidt
2012-03-01 11:53 ` Ville Syrjälä
2012-03-01 11:57 ` Ville Syrjälä [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120301115741.GU3592@intel.com \
--to=ville.syrjala@linux.intel.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=schmidt@digadd.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.