[PATCH] drm: fix out-of-bounds access with short VSDB blocks

Mon Jul 22 14:38:34 UTC 2019

From: Simon Ser <simon.ser at intel.com>

The VSDB parsing code contains a few len >= N checks, accessing db[N] on
success. However if len == N, db[N] is out-of-bounds.

This commit changes the checks to test for len > N.

Signed-off-by: Simon Ser <contact at emersion.fr>
---
 drivers/gpu/drm/drm_edid.c | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c
index 82a4ceed3fcf..13d632f14172 100644
--- a/drivers/gpu/drm/drm_edid.c
+++ b/drivers/gpu/drm/drm_edid.c
@@ -3569,7 +3569,7 @@ do_hdmi_vsdb_modes(struct drm_connector *connector, const u8 *db, u8 len,
 	vic_len = db[8 + offset] >> 5;
 	hdmi_3d_len = db[8 + offset] & 0x1f;

-	for (i = 0; i < vic_len && len >= (9 + offset + i); i++) {
+	for (i = 0; i < vic_len && len > (9 + offset + i); i++) {
 		u8 vic;

 		vic = db[9 + offset + i];
@@ -3971,11 +3971,11 @@ drm_parse_hdr_metadata_block(struct drm_connector *connector, const u8 *db)
 	connector->hdr_sink_metadata.hdmi_type1.metadata_type =
 						hdr_metadata_type(db);

-	if (len >= 4)
+	if (len > 4)
 		connector->hdr_sink_metadata.hdmi_type1.max_cll = db[4];
-	if (len >= 5)
+	if (len > 5)
 		connector->hdr_sink_metadata.hdmi_type1.max_fall = db[5];
-	if (len >= 6)
+	if (len > 6)
 		connector->hdr_sink_metadata.hdmi_type1.min_cll = db[6];
 }

@@ -3984,19 +3984,19 @@ drm_parse_hdmi_vsdb_audio(struct drm_connector *connector, const u8 *db)
 {
 	u8 len = cea_db_payload_len(db);

-	if (len >= 6 && (db[6] & (1 << 7)))
+	if (len > 6 && (db[6] & (1 << 7)))
 		connector->eld[DRM_ELD_SAD_COUNT_CONN_TYPE] |= DRM_ELD_SUPPORTS_AI;
-	if (len >= 8) {
+	if (len > 8) {
 		connector->latency_present[0] = db[8] >> 7;
 		connector->latency_present[1] = (db[8] >> 6) & 1;
 	}
-	if (len >= 9)
+	if (len > 9)
 		connector->video_latency[0] = db[9];
-	if (len >= 10)
+	if (len > 10)
 		connector->audio_latency[0] = db[10];
-	if (len >= 11)
+	if (len > 11)
 		connector->video_latency[1] = db[11];
-	if (len >= 12)
+	if (len > 12)
 		connector->audio_latency[1] = db[12];

 	DRM_DEBUG_KMS("HDMI: latency present %d %d, "
@@ -4559,9 +4559,9 @@ drm_parse_hdmi_vsdb_video(struct drm_connector *connector, const u8 *db)
 	struct drm_display_info *info = &connector->display_info;
 	u8 len = cea_db_payload_len(db);

-	if (len >= 6)
+	if (len > 6)
 		info->dvi_dual = db[6] & 1;
-	if (len >= 7)
+	if (len > 7)
 		info->max_tmds_clock = db[7] * 5000;

 	DRM_DEBUG_KMS("HDMI: DVI dual %d, "
--
2.22.0


