* [PATCH] video: fbdev: metronomefb: fix some off by one bugs
@ 2018-07-03 12:28 ` Dan Carpenter
2018-07-24 15:29 ` Bartlomiej Zolnierkiewicz
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2018-07-03 12:28 UTC (permalink / raw)
To: Bartlomiej Zolnierkiewicz; +Cc: linux-fbdev, kernel-janitors, dri-devel
The "mem" buffer has "size" bytes. The ">" should be ">=" to prevent
reading one character beyond the end of the array.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Not tested.
diff --git a/drivers/video/fbdev/metronomefb.c b/drivers/video/fbdev/metronomefb.c
index 9085e9525341..bb4fee52e501 100644
--- a/drivers/video/fbdev/metronomefb.c
+++ b/drivers/video/fbdev/metronomefb.c
@@ -233,7 +233,7 @@ static int load_waveform(u8 *mem, size_t size, int m, int t,
/* check temperature range table checksum */
cksum_idx = sizeof(*wfm_hdr) + wfm_hdr->trc + 1;
- if (cksum_idx > size)
+ if (cksum_idx >= size)
return -EINVAL;
cksum = calc_cksum(sizeof(*wfm_hdr), cksum_idx, mem);
if (cksum != mem[cksum_idx]) {
@@ -245,7 +245,7 @@ static int load_waveform(u8 *mem, size_t size, int m, int t,
/* check waveform mode table address checksum */
wmta = get_unaligned_le32(wfm_hdr->wmta) & 0x00FFFFFF;
cksum_idx = wmta + m*4 + 3;
- if (cksum_idx > size)
+ if (cksum_idx >= size)
return -EINVAL;
cksum = calc_cksum(cksum_idx - 3, cksum_idx, mem);
if (cksum != mem[cksum_idx]) {
@@ -257,7 +257,7 @@ static int load_waveform(u8 *mem, size_t size, int m, int t,
/* check waveform temperature table address checksum */
tta = get_unaligned_le32(mem + wmta + m * 4) & 0x00FFFFFF;
cksum_idx = tta + trn*4 + 3;
- if (cksum_idx > size)
+ if (cksum_idx >= size)
return -EINVAL;
cksum = calc_cksum(cksum_idx - 3, cksum_idx, mem);
if (cksum != mem[cksum_idx]) {
@@ -270,7 +270,7 @@ static int load_waveform(u8 *mem, size_t size, int m, int t,
metromem buffer. this does runlength decoding of the waveform */
wfm_idx = get_unaligned_le32(mem + tta + trn * 4) & 0x00FFFFFF;
owfm_idx = wfm_idx;
- if (wfm_idx > size)
+ if (wfm_idx >= size)
return -EINVAL;
while (wfm_idx < size) {
unsigned char rl;
@@ -292,7 +292,7 @@ static int load_waveform(u8 *mem, size_t size, int m, int t,
}
cksum_idx = wfm_idx;
- if (cksum_idx > size)
+ if (cksum_idx >= size)
return -EINVAL;
cksum = calc_cksum(owfm_idx, cksum_idx, mem);
if (cksum != mem[cksum_idx]) {
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] video: fbdev: metronomefb: fix some off by one bugs
2018-07-03 12:28 ` [PATCH] video: fbdev: metronomefb: fix some off by one bugs Dan Carpenter
@ 2018-07-24 15:29 ` Bartlomiej Zolnierkiewicz
0 siblings, 0 replies; 2+ messages in thread
From: Bartlomiej Zolnierkiewicz @ 2018-07-24 15:29 UTC (permalink / raw)
To: Dan Carpenter; +Cc: linux-fbdev, kernel-janitors, dri-devel
On Tuesday, July 03, 2018 03:28:13 PM Dan Carpenter wrote:
> The "mem" buffer has "size" bytes. The ">" should be ">=" to prevent
> reading one character beyond the end of the array.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Patch queued for 4.19, thanks.
Best regards,
--
Bartlomiej Zolnierkiewicz
Samsung R&D Institute Poland
Samsung Electronics
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-07-24 15:29 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CGME20180703122830epcas5p19c5ec248b138aafdb0c6f156ef3d8aca@epcas5p1.samsung.com>
2018-07-03 12:28 ` [PATCH] video: fbdev: metronomefb: fix some off by one bugs Dan Carpenter
2018-07-24 15:29 ` Bartlomiej Zolnierkiewicz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).