Two errors in a single line. The size was read from the wrong offset,
and the end index didn't take the five bytes for sequence byte and size
of sequence into account. Fix it all, and break up the calculations a
bit to make it clearer.
Cc: Ville Syrjälä <ville.syrjala@xxxxxxxxxxxxxxx>
Reported-by: Mika Kahola <mika.kahola@xxxxxxxxx>
Fixes: 2a33d93486f2 ("drm/i915/bios: add support for MIPI sequence block v3")
Signed-off-by: Jani Nikula <jani.nikula@xxxxxxxxx>
---
drivers/gpu/drm/i915/intel_bios.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c
index 12e2f8b8bf9c..bf62a19c8f69 100644
--- a/drivers/gpu/drm/i915/intel_bios.c
+++ b/drivers/gpu/drm/i915/intel_bios.c
@@ -842,6 +842,7 @@ static int goto_next_sequence_v3(const u8 *data, int index, int total)
{
int seq_end;
u16 len;
+ u32 size_of_sequence;
/*
* Could skip sequence based on Size of Sequence alone, but also do some
@@ -852,14 +853,24 @@ static int goto_next_sequence_v3(const u8 *data, int index, int total)
return 0;
}
- seq_end = index + *((const u32 *)(data + 1));
+ /* Skip Sequence Byte. */
+ index++;
+
+ /*
+ * Size of Sequence. Excludes the Sequence Byte and the size itself,
+ * includes MIPI_SEQ_ELEM_END byte, excludes the final MIPI_SEQ_END
+ * byte.
+ */
+ size_of_sequence = *((const uint32_t *)(data + index));
+ index += 4;
+
+ seq_end = index + size_of_sequence;
if (seq_end > total) {
DRM_ERROR("Invalid sequence size\n");
return 0;
}
- /* Skip Sequence Byte and Size of Sequence. */
- for (index = index + 5; index < total; index += len) {
+ for (; index < total; index += len) {
u8 operation_byte = *(data + index);
index++;
--
2.1.4
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/intel-gfx
