From 7304b9810a7367131dc26ced61696e7c98dd6666 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Ville=20Syrj=C3=A4l=C3=A4?= Date: Fri, 24 Jan 2020 22:02:24 +0200 Subject: [PATCH] drm/edid: Check the number of detailed timing descriptors in the CEA ext block MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit CEA-861 says : "d = offset for the byte following the reserved data block. If no data is provided in the reserved data block, then d=4. If no DTDs are provided, then d=0." So let's not look for DTDs when d==0. In fact let's just make that <4 since those values would just mean that he DTDs overlap the block header. And let's also check that d isn't so big as to declare the descriptors to live past the block end, although the code does already survive that case as we'd just end up with a negative number of descriptors and the loop would not do anything. Cc: Allen Chen Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20200124200231.10517-1-ville.syrjala@linux.intel.com Acked-by: Alex Deucher Reviewed-by: Uma Shankar --- drivers/gpu/drm/drm_edid.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c index 1fcec5f4c3ec..3fb280837fdb 100644 --- a/drivers/gpu/drm/drm_edid.c +++ b/drivers/gpu/drm/drm_edid.c @@ -2217,10 +2217,13 @@ typedef void detailed_cb(struct detailed_timing *timing, void *closure); static void cea_for_each_detailed_block(u8 *ext, detailed_cb *cb, void *closure) { - int i, n = 0; + int i, n; u8 d = ext[0x02]; u8 *det_base = ext + d; + if (d < 4 || d > 127) + return; + n = (127 - d) / 18; for (i = 0; i < n; i++) cb((struct detailed_timing *)(det_base + 18 * i), closure); -- 2.25.1