On 05/25/2015 04:12 PM, Jani Nikula wrote:
> On Mon, 25 May 2015, Andrey Ryabinin <a.ryabinin at samsung.com> wrote:
>> for_each_*_in_state validate array index after
>> access to array elements, thus perform out of bounds read.
>>
>> Fix this by validating index in the first place and read
>> array element iff validation was successful.
>>
>> Fixes: df63b9994eaf ("drm/atomic: Add
>> for_each_{connector,crtc,plane}_in_state helper macros")
>> Signed-off-by: Andrey Ryabinin <a.ryabinin at samsung.com>
>> ---
>> include/drm/drm_atomic.h | 24 ++++++++++++------------
>> 1 file changed, 12 insertions(+), 12 deletions(-)
>>
>> diff --git a/include/drm/drm_atomic.h b/include/drm/drm_atomic.h
>> index c1571034..3f13b91 100644
>> --- a/include/drm/drm_atomic.h
>> +++ b/include/drm/drm_atomic.h
>> @@ -77,26 +77,26 @@ int __must_check drm_atomic_async_commit(struct
>> drm_atomic_state *state);
>>
>> #define for_each_connector_in_state(state, connector, connector_state, __i)
>> \
>> for ((__i) = 0; \
>> - (connector) = (state)->connectors[__i], \
>> - (connector_state) = (state)->connector_states[__i], \
>> - (__i) < (state)->num_connector; \
>> + (__i) < (state)->num_connector && \
>> + ((connector) = (state)->connectors[__i], \
>> + (connector_state) = (state)->connector_states[__i], 1); \
>
> This will stop at the first NULL connector/connector_state. Similarly
> for the loops below.
>
This will stop iff (__i) >= (state)->num_connector, because the result of
expression:
((connector) = (state)->connectors[__i], (connector_state) =
(state)->connector_states[__i], 1)
is always 1.
