Commit 5c820b80 authored by Dan Carpenter's avatar Dan Carpenter Committed by Bartlomiej Zolnierkiewicz

video: fbdev: metronomefb: fix some off by one bugs

The "mem" buffer has "size" bytes.  The ">" should be ">=" to prevent
reading one character beyond the end of the array.
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
parent ff459c2d
...@@ -233,7 +233,7 @@ static int load_waveform(u8 *mem, size_t size, int m, int t, ...@@ -233,7 +233,7 @@ static int load_waveform(u8 *mem, size_t size, int m, int t,
/* check temperature range table checksum */ /* check temperature range table checksum */
cksum_idx = sizeof(*wfm_hdr) + wfm_hdr->trc + 1; cksum_idx = sizeof(*wfm_hdr) + wfm_hdr->trc + 1;
if (cksum_idx > size) if (cksum_idx >= size)
return -EINVAL; return -EINVAL;
cksum = calc_cksum(sizeof(*wfm_hdr), cksum_idx, mem); cksum = calc_cksum(sizeof(*wfm_hdr), cksum_idx, mem);
if (cksum != mem[cksum_idx]) { if (cksum != mem[cksum_idx]) {
...@@ -245,7 +245,7 @@ static int load_waveform(u8 *mem, size_t size, int m, int t, ...@@ -245,7 +245,7 @@ static int load_waveform(u8 *mem, size_t size, int m, int t,
/* check waveform mode table address checksum */ /* check waveform mode table address checksum */
wmta = get_unaligned_le32(wfm_hdr->wmta) & 0x00FFFFFF; wmta = get_unaligned_le32(wfm_hdr->wmta) & 0x00FFFFFF;
cksum_idx = wmta + m*4 + 3; cksum_idx = wmta + m*4 + 3;
if (cksum_idx > size) if (cksum_idx >= size)
return -EINVAL; return -EINVAL;
cksum = calc_cksum(cksum_idx - 3, cksum_idx, mem); cksum = calc_cksum(cksum_idx - 3, cksum_idx, mem);
if (cksum != mem[cksum_idx]) { if (cksum != mem[cksum_idx]) {
...@@ -257,7 +257,7 @@ static int load_waveform(u8 *mem, size_t size, int m, int t, ...@@ -257,7 +257,7 @@ static int load_waveform(u8 *mem, size_t size, int m, int t,
/* check waveform temperature table address checksum */ /* check waveform temperature table address checksum */
tta = get_unaligned_le32(mem + wmta + m * 4) & 0x00FFFFFF; tta = get_unaligned_le32(mem + wmta + m * 4) & 0x00FFFFFF;
cksum_idx = tta + trn*4 + 3; cksum_idx = tta + trn*4 + 3;
if (cksum_idx > size) if (cksum_idx >= size)
return -EINVAL; return -EINVAL;
cksum = calc_cksum(cksum_idx - 3, cksum_idx, mem); cksum = calc_cksum(cksum_idx - 3, cksum_idx, mem);
if (cksum != mem[cksum_idx]) { if (cksum != mem[cksum_idx]) {
...@@ -270,7 +270,7 @@ static int load_waveform(u8 *mem, size_t size, int m, int t, ...@@ -270,7 +270,7 @@ static int load_waveform(u8 *mem, size_t size, int m, int t,
metromem buffer. this does runlength decoding of the waveform */ metromem buffer. this does runlength decoding of the waveform */
wfm_idx = get_unaligned_le32(mem + tta + trn * 4) & 0x00FFFFFF; wfm_idx = get_unaligned_le32(mem + tta + trn * 4) & 0x00FFFFFF;
owfm_idx = wfm_idx; owfm_idx = wfm_idx;
if (wfm_idx > size) if (wfm_idx >= size)
return -EINVAL; return -EINVAL;
while (wfm_idx < size) { while (wfm_idx < size) {
unsigned char rl; unsigned char rl;
...@@ -292,7 +292,7 @@ static int load_waveform(u8 *mem, size_t size, int m, int t, ...@@ -292,7 +292,7 @@ static int load_waveform(u8 *mem, size_t size, int m, int t,
} }
cksum_idx = wfm_idx; cksum_idx = wfm_idx;
if (cksum_idx > size) if (cksum_idx >= size)
return -EINVAL; return -EINVAL;
cksum = calc_cksum(owfm_idx, cksum_idx, mem); cksum = calc_cksum(owfm_idx, cksum_idx, mem);
if (cksum != mem[cksum_idx]) { if (cksum != mem[cksum_idx]) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment