[PATCH 1/8] drm/edid: Check the number of detailed timing descriptors in the CEA ext block

Ville Syrjala ville.syrjala at linux.intel.com
Fri Jan 24 20:02:24 UTC 2020


From: Ville Syrjälä <ville.syrjala at linux.intel.com>

CEA-861 says :
"d = offset for the byte following the reserved data block.
 If no data is provided in the reserved data block, then d=4.
 If no DTDs are provided, then d=0."

So let's not look for DTDs when d==0. In fact let's just make that
<4 since those values would just mean that he DTDs overlap the block
header. And let's also check that d isn't so big as to declare
the descriptors to live past the block end, although the code
does already survive that case as we'd just end up with a negative
number of descriptors and the loop would not do anything.

Cc: Allen Chen <allen.chen at ite.com.tw>
Signed-off-by: Ville Syrjälä <ville.syrjala at linux.intel.com>
---
 drivers/gpu/drm/drm_edid.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c
index 99769d6c9f84..1b6e544cf5c7 100644
--- a/drivers/gpu/drm/drm_edid.c
+++ b/drivers/gpu/drm/drm_edid.c
@@ -2201,10 +2201,13 @@ typedef void detailed_cb(struct detailed_timing *timing, void *closure);
 static void
 cea_for_each_detailed_block(u8 *ext, detailed_cb *cb, void *closure)
 {
-	int i, n = 0;
+	int i, n;
 	u8 d = ext[0x02];
 	u8 *det_base = ext + d;
 
+	if (d < 4 || d > 127)
+		return;
+
 	n = (127 - d) / 18;
 	for (i = 0; i < n; i++)
 		cb((struct detailed_timing *)(det_base + 18 * i), closure);
-- 
2.24.1



More information about the dri-devel mailing list