CERT-C Characters and Strings (CERT STR31-C)
all_drm_priv[cnt] evaluates to an address that could be at negative
offset of an array.
In mtk_drm_get_all_drm_priv():
Guarantee that storage for strings has sufficient space for character
data and the null terminator.
So change cnt to unsigned int and check its max value.
Signed-off-by: Jason-JH.Lin <jason-jh.lin@xxxxxxxxxxxx>
Fixes: 1ef7ed48356c ("drm/mediatek: Modify mediatek-drm for mt8195 multi mmsys support")
---
drivers/gpu/drm/mediatek/mtk_drm_drv.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
index 86255a066faf..fcfa10332166 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
@@ -378,7 +378,7 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev)
const struct of_device_id *of_id;
struct device_node *node;
struct device *drm_dev;
- int cnt = 0;
+ unsigned int cnt = 0;
int i, j;
for_each_child_of_node(phandle->parent, node) {
@@ -397,7 +397,7 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev)
continue;
all_drm_priv[cnt] = dev_get_drvdata(drm_dev);
- if (all_drm_priv[cnt] && all_drm_priv[cnt]->mtk_drm_bound)
+ if (cnt < MAX_CRTC && all_drm_priv[cnt] && all_drm_priv[cnt]->mtk_drm_bound)
cnt++;
}
--
2.18.0
