From 4f8d397b53d9f742229edc6535263711394f84ac Mon Sep 17 00:00:00 2001 From: Sandor Yu Date: Tue, 4 Dec 2018 15:21:01 +0800 Subject: [PATCH] MLK-20518: hdp: Fix memory out of bounds access Fix memory out of bounds access. Change arry type for functopn avi info frame, Align the arry type and its length. Signed-off-by: Sandor Yu --- drivers/gpu/drm/imx/hdp/imx-hdmi.c | 7 +++---- drivers/gpu/drm/imx/hdp/imx-hdp-audio.c | 3 +-- drivers/mxc/hdp/API_Infoframe.c | 13 ++++++++----- drivers/mxc/hdp/API_Infoframe.h | 4 ++-- 4 files changed, 14 insertions(+), 13 deletions(-) diff --git a/drivers/gpu/drm/imx/hdp/imx-hdmi.c b/drivers/gpu/drm/imx/hdp/imx-hdmi.c index 98598f966983..6894d9caaef0 100644 --- a/drivers/gpu/drm/imx/hdp/imx-hdmi.c +++ b/drivers/gpu/drm/imx/hdp/imx-hdmi.c @@ -97,7 +97,7 @@ static int hdmi_avi_info_set(struct imx_hdp *hdp, buf[0] = 0; return CDN_API_InfoframeSet(&hdp->state, 0, sizeof(buf), - (u32 *)buf, HDMI_INFOFRAME_TYPE_AVI); + buf, HDMI_INFOFRAME_TYPE_AVI); } @@ -126,7 +126,7 @@ static int hdmi_vendor_info_set(struct imx_hdp *hdp, buf[0] = 0; return CDN_API_InfoframeSet(&hdp->state, 0, sizeof(buf), - (u32 *)buf, HDMI_INFOFRAME_TYPE_VENDOR); + buf, HDMI_INFOFRAME_TYPE_VENDOR); } @@ -489,6 +489,5 @@ int hdmi_write_hdr_metadata(state_struct *state, infoframe_size++; return CDN_API_InfoframeSet(state, 2, infoframe_size, - (u32 *)buffer, - HDMI_INFOFRAME_TYPE_DRM); + buffer, HDMI_INFOFRAME_TYPE_DRM); } diff --git a/drivers/gpu/drm/imx/hdp/imx-hdp-audio.c b/drivers/gpu/drm/imx/hdp/imx-hdp-audio.c index 0a509a156adb..19e9176784a6 100644 --- a/drivers/gpu/drm/imx/hdp/imx-hdp-audio.c +++ b/drivers/gpu/drm/imx/hdp/imx-hdp-audio.c @@ -87,8 +87,7 @@ static void imx_hdmi_audio_avi_set(state_struct *state, buf[0] = 0; - CDN_API_InfoframeSet(state, 1, sizeof(buf), - (u32 *)buf, HDMI_INFOFRAME_TYPE_AUDIO); + CDN_API_InfoframeSet(state, 1, sizeof(buf), buf, HDMI_INFOFRAME_TYPE_AUDIO); } static u32 imx_hdp_audio(struct imx_hdp *hdmi, AUDIO_TYPE type, u32 sample_rate, u32 channels, u32 width) diff --git a/drivers/mxc/hdp/API_Infoframe.c b/drivers/mxc/hdp/API_Infoframe.c index 2a4e9739e14f..a42010e57c9a 100644 --- a/drivers/mxc/hdp/API_Infoframe.c +++ b/drivers/mxc/hdp/API_Infoframe.c @@ -53,9 +53,10 @@ static CDN_API_STATUS infoframeSet(state_struct *state, u8 entry_id, u8 packet_len, - u32 *packet, u8 packet_type, u8 active_idle) + u8 *packet, u8 packet_type, u8 active_idle) { u32 idx; + u32 *packet32, len; u32 activeIdleBit = (0 == active_idle) ? 0 : 0x20000; /* invalidate entry */ @@ -78,11 +79,13 @@ static CDN_API_STATUS infoframeSet(state_struct *state, u8 entry_id, return CDN_ERR; /* write packet into memory */ - for (idx = 0; idx < packet_len; idx++) + packet32 = (u32 *)packet; + len = packet_len / 4; + for (idx = 0; idx < len; idx++) if (cdn_apb_write (state, BANK_OFFSET | ADDR_SOURCE_PIF | (SOURCE_PIF_DATA_WR << 2), - F_DATA_WR(packet[idx]))) + F_DATA_WR(packet32[idx]))) return CDN_ERR; /* write entry id */ @@ -114,7 +117,7 @@ static CDN_API_STATUS infoframeSet(state_struct *state, u8 entry_id, } CDN_API_STATUS CDN_API_InfoframeSet(state_struct *state, u8 entry_id, - u8 packet_len, u32 *packet, u8 packet_type) + u8 packet_len, u8 *packet, u8 packet_type) { return infoframeSet(state, entry_id, packet_len, packet, packet_type, 1); @@ -122,7 +125,7 @@ CDN_API_STATUS CDN_API_InfoframeSet(state_struct *state, u8 entry_id, CDN_API_STATUS CDN_API_InfoframeSetNoActiveIdle(state_struct *state, u8 entry_id, u8 packet_len, - u32 *packet, u8 packet_type) + u8 *packet, u8 packet_type) { return infoframeSet(state, entry_id, packet_len, packet, packet_type, 0); diff --git a/drivers/mxc/hdp/API_Infoframe.h b/drivers/mxc/hdp/API_Infoframe.h index 492eb6646629..15aa27387dc4 100644 --- a/drivers/mxc/hdp/API_Infoframe.h +++ b/drivers/mxc/hdp/API_Infoframe.h @@ -53,11 +53,11 @@ * \{ */ CDN_API_STATUS CDN_API_InfoframeSet(state_struct *state, u8 entry_id, - u8 packet_len, u32 *packet, + u8 packet_len, u8 *packet, u8 packet_type); CDN_API_STATUS CDN_API_InfoframeSetNoActiveIdle(state_struct *state, u8 entry_id, u8 packet_len, - u32 *packet, u8 packet_type); + u8 *packet, u8 packet_type); CDN_API_STATUS CDN_API_InfoframeRemove(state_struct *state, u8 entry_id); CDN_API_STATUS CDN_API_InfoframeRemovePacket(state_struct *state, u8 entry_id, u8 packet_type); -- 2.17.1