On Mon, 25 May 2015, Andrey Ryabinin <a.ryabinin@xxxxxxxxxxx> wrote:
> On 05/25/2015 04:12 PM, Jani Nikula wrote:
>> On Mon, 25 May 2015, Andrey Ryabinin <a.ryabinin@xxxxxxxxxxx> wrote:
>>> for_each_*_in_state validate array index after
>>> access to array elements, thus perform out of bounds read.
>>>
>>> Fix this by validating index in the first place and read
>>> array element iff validation was successful.
>>>
>>> Fixes: df63b9994eaf ("drm/atomic: Add for_each_{connector,crtc,plane}_in_state helper macros")
>>> Signed-off-by: Andrey Ryabinin <a.ryabinin@xxxxxxxxxxx>
>>> ---
>>> include/drm/drm_atomic.h | 24 ++++++++++++------------
>>> 1 file changed, 12 insertions(+), 12 deletions(-)
>>>
>>> diff --git a/include/drm/drm_atomic.h b/include/drm/drm_atomic.h
>>> index c1571034..3f13b91 100644
>>> --- a/include/drm/drm_atomic.h
>>> +++ b/include/drm/drm_atomic.h
>>> @@ -77,26 +77,26 @@ int __must_check drm_atomic_async_commit(struct drm_atomic_state *state);
>>>
>>> #define for_each_connector_in_state(state, connector, connector_state, __i) \
>>> for ((__i) = 0; \
>>> - (connector) = (state)->connectors[__i], \
>>> - (connector_state) = (state)->connector_states[__i], \
>>> - (__i) < (state)->num_connector; \
>>> + (__i) < (state)->num_connector && \
>>> + ((connector) = (state)->connectors[__i], \
>>> + (connector_state) = (state)->connector_states[__i], 1); \
>>
>> This will stop at the first NULL connector/connector_state. Similarly
>> for the loops below.
>>
>
> This will stop iff (__i) >= (state)->num_connector, because the result of expression:
> ((connector) = (state)->connectors[__i], (connector_state) = (state)->connector_states[__i], 1)
> is always 1.
Why do you think it'll always be 1?
BR,
Jani.
>
>
--
Jani Nikula, Intel Open Source Technology Center
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/dri-devel
