From: Ville Syrjälä Date: Fri, 24 Jan 2020 20:02:24 +0000 (+0200) Subject: drm/edid: Check the number of detailed timing descriptors in the CEA ext block X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=7304b9810a7367131dc26ced61696e7c98dd6666;p=linux.git drm/edid: Check the number of detailed timing descriptors in the CEA ext block CEA-861 says : "d = offset for the byte following the reserved data block. If no data is provided in the reserved data block, then d=4. If no DTDs are provided, then d=0." So let's not look for DTDs when d==0. In fact let's just make that <4 since those values would just mean that he DTDs overlap the block header. And let's also check that d isn't so big as to declare the descriptors to live past the block end, although the code does already survive that case as we'd just end up with a negative number of descriptors and the loop would not do anything. Cc: Allen Chen Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20200124200231.10517-1-ville.syrjala@linux.intel.com Acked-by: Alex Deucher Reviewed-by: Uma Shankar --- diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c index 1fcec5f4c3ec2..3fb280837fdb1 100644 --- a/drivers/gpu/drm/drm_edid.c +++ b/drivers/gpu/drm/drm_edid.c @@ -2217,10 +2217,13 @@ typedef void detailed_cb(struct detailed_timing *timing, void *closure); static void cea_for_each_detailed_block(u8 *ext, detailed_cb *cb, void *closure) { - int i, n = 0; + int i, n; u8 d = ext[0x02]; u8 *det_base = ext + d; + if (d < 4 || d > 127) + return; + n = (127 - d) / 18; for (i = 0; i < n; i++) cb((struct detailed_timing *)(det_base + 18 * i), closure);