redonkable
/
remarkable-linux
1
0
Fork 0
Code Releases Activity

MLK-20518: hdp: Fix memory out of bounds access 

Fix memory out of bounds access.
Change arry type for functopn avi info frame,
Align the arry type and its length.

Signed-off-by: Sandor Yu <Sandor.yu@nxp.com>
(cherry picked from commit 2fc41a88c9da514ae3f377e7cb73f4df886f038e)
pull/10/head
Sandor Yu 2018-12-04 15:21:01 +08:00
parent 66620c3d28
commit 9e8cb59e91
4 changed files with 14 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
drivers/gpu/drm/imx/hdp/imx-hdmi.c
View File

@ -97,7 +97,7 @@ static int hdmi_avi_info_set(struct imx_hdp *hdp,
buf[0] = 0;
return CDN_API_InfoframeSet(&hdp->state, 0, sizeof(buf),
(u32 *)buf, HDMI_INFOFRAME_TYPE_AVI);
buf, HDMI_INFOFRAME_TYPE_AVI);
}
@ -124,7 +124,7 @@ static int hdmi_vendor_info_set(struct imx_hdp *hdp,
buf[0] = 0;
return CDN_API_InfoframeSet(&hdp->state, 0, sizeof(buf),
(u32 *)buf, HDMI_INFOFRAME_TYPE_VENDOR);
buf, HDMI_INFOFRAME_TYPE_VENDOR);
}
@ -487,6 +487,5 @@ int hdmi_write_hdr_metadata(state_struct *state,
infoframe_size++;
return CDN_API_InfoframeSet(state, 2, infoframe_size,
(u32 *)buffer,
HDMI_INFOFRAME_TYPE_DRM);
buffer, HDMI_INFOFRAME_TYPE_DRM);
}

3
drivers/gpu/drm/imx/hdp/imx-hdp-audio.c
View File

@ -87,8 +87,7 @@ static void imx_hdmi_audio_avi_set(state_struct *state,
buf[0] = 0;
CDN_API_InfoframeSet(state, 1, sizeof(buf),
(u32 *)buf, HDMI_INFOFRAME_TYPE_AUDIO);
CDN_API_InfoframeSet(state, 1, sizeof(buf), buf, HDMI_INFOFRAME_TYPE_AUDIO);
}
static u32 imx_hdp_audio(struct imx_hdp *hdmi, AUDIO_TYPE type, u32 sample_rate, u32 channels, u32 width)

13
drivers/mxc/hdp/API_Infoframe.c
View File

@ -53,9 +53,10 @@
static CDN_API_STATUS infoframeSet(state_struct *state, u8 entry_id,
u8 packet_len,
u32 *packet, u8 packet_type, u8 active_idle)
u8 *packet, u8 packet_type, u8 active_idle)
{
u32 idx;
u32 *packet32, len;
u32 activeIdleBit = (0 == active_idle) ? 0 : 0x20000;
/* invalidate entry */
@ -78,11 +79,13 @@ static CDN_API_STATUS infoframeSet(state_struct *state, u8 entry_id,
return CDN_ERR;
/* write packet into memory */
for (idx = 0; idx < packet_len; idx++)
packet32 = (u32 *)packet;
len = packet_len / 4;
for (idx = 0; idx < len; idx++)
if (cdn_apb_write
(state,
BANK_OFFSET | ADDR_SOURCE_PIF | (SOURCE_PIF_DATA_WR << 2),
F_DATA_WR(packet[idx])))
F_DATA_WR(packet32[idx])))
return CDN_ERR;
/* write entry id */
@ -114,7 +117,7 @@ static CDN_API_STATUS infoframeSet(state_struct *state, u8 entry_id,
}
CDN_API_STATUS CDN_API_InfoframeSet(state_struct *state, u8 entry_id,
u8 packet_len, u32 *packet, u8 packet_type)
u8 packet_len, u8 *packet, u8 packet_type)
{
return infoframeSet(state, entry_id, packet_len, packet, packet_type,
1);
@ -122,7 +125,7 @@ CDN_API_STATUS CDN_API_InfoframeSet(state_struct *state, u8 entry_id,
CDN_API_STATUS CDN_API_InfoframeSetNoActiveIdle(state_struct *state,
u8 entry_id, u8 packet_len,
u32 *packet, u8 packet_type)
u8 *packet, u8 packet_type)
{
return infoframeSet(state, entry_id, packet_len, packet, packet_type,
0);

4
drivers/mxc/hdp/API_Infoframe.h
View File

@ -53,11 +53,11 @@
* \{
*/
CDN_API_STATUS CDN_API_InfoframeSet(state_struct *state, u8 entry_id,
u8 packet_len, u32 *packet,
u8 packet_len, u8 *packet,
u8 packet_type);
CDN_API_STATUS CDN_API_InfoframeSetNoActiveIdle(state_struct *state,
u8 entry_id, u8 packet_len,
u32 *packet, u8 packet_type);
u8 *packet, u8 packet_type);
CDN_API_STATUS CDN_API_InfoframeRemove(state_struct *state, u8 entry_id);
CDN_API_STATUS CDN_API_InfoframeRemovePacket(state_struct *state, u8 entry_id, u8 packet_type);