[PATCH][next] drm/kmb: fix array out-of-bounds writes to kmb->plane_status[]
Sam Ravnborg
sam at ravnborg.org
Fri Nov 13 14:55:57 UTC 2020
Hi Colin.
On Fri, Nov 13, 2020 at 12:01:21PM +0000, Colin King wrote:
> From: Colin Ian King <colin.king at canonical.com>
>
> Writes to elements in the kmb->plane_status array in function
> kmb_plane_atomic_disable are overrunning the array when plane_id is
> more than 1 because currently the array is KMB_MAX_PLANES elements
> in size and this is currently #defined as 1. Fix this by defining
> KMB_MAX_PLANES to 4.
I fail to follow you here.
In kmb_plane_init() only one plane is allocated - with id set to 0.
So for now only one plane is allocated thus kmb_plane_atomic_disable()
is only called for this plane.
With your change we will start allocating four planes, something that is
not tested.
Do I miss something?
Sam
More information about the dri-devel
mailing list