[PATCH 6/9] drm/udl: Return error if vendor descriptor is too short

Tue, 01 Apr 2025 09:23:47 -0700 

There need to be least 5 bytes in the vendor descriptor. Return
an error otherwise. Also change the branching to early-out on
the error. Adjust indention of the rest of the parser function.

Signed-off-by: Thomas Zimmermann <tzimmerm...@suse.de>
---
 drivers/gpu/drm/udl/udl_main.c | 72 +++++++++++++++++-----------------
 1 file changed, 36 insertions(+), 36 deletions(-)

diff --git a/drivers/gpu/drm/udl/udl_main.c b/drivers/gpu/drm/udl/udl_main.c
index 4291ddb7158c4..58d6065589d3a 100644
--- a/drivers/gpu/drm/udl/udl_main.c
+++ b/drivers/gpu/drm/udl/udl_main.c
@@ -45,43 +45,43 @@ static int udl_parse_vendor_descriptor(struct udl_device 
*udl)
                goto unrecognized;
        len = ret;
 
-       if (len > 5) {
-               DRM_INFO("vendor descriptor length: %u data:%11ph\n",
-                        len, desc);
-
-               if ((desc[0] != len) ||    /* descriptor length */
-                   (desc[1] != 0x5f) ||   /* vendor descriptor type */
-                   (desc[2] != 0x01) ||   /* version (2 bytes) */
-                   (desc[3] != 0x00) ||
-                   (desc[4] != len - 2))  /* length after type */
-                       goto unrecognized;
-
-               desc_end = desc + len;
-               desc += 5; /* the fixed header we've already parsed */
-
-               while (desc < desc_end) {
-                       u8 length;
-                       u16 key;
-
-                       key = le16_to_cpu(*((u16 *) desc));
-                       desc += sizeof(u16);
-                       length = *desc;
-                       desc++;
-
-                       switch (key) {
-                       case 0x0200: { /* max_area */
-                               u32 max_area;
-                               max_area = le32_to_cpu(*((u32 *)desc));
-                               DRM_DEBUG("DL chip limited to %d pixel modes\n",
-                                       max_area);
-                               udl->sku_pixel_limit = max_area;
-                               break;
-                       }
-                       default:
-                               break;
-                       }
-                       desc += length;
+       if (len < 5)
+               goto unrecognized;
+
+       DRM_INFO("vendor descriptor length: %u data:%11ph\n", len, desc);
+
+       if ((desc[0] != len) ||    /* descriptor length */
+           (desc[1] != 0x5f) ||   /* vendor descriptor type */
+           (desc[2] != 0x01) ||   /* version (2 bytes) */
+           (desc[3] != 0x00) ||
+           (desc[4] != len - 2))  /* length after type */
+               goto unrecognized;
+
+       desc_end = desc + len;
+       desc += 5; /* the fixed header we've already parsed */
+
+       while (desc < desc_end) {
+               u8 length;
+               u16 key;
+
+               key = le16_to_cpu(*((u16 *)desc));
+               desc += sizeof(u16);
+               length = *desc;
+               desc++;
+
+               switch (key) {
+               case 0x0200: { /* max_area */
+                       u32 max_area = le32_to_cpu(*((u32 *)desc));
+
+                       DRM_DEBUG("DL chip limited to %d pixel modes\n",
+                                 max_area);
+                       udl->sku_pixel_limit = max_area;
+                       break;
+               }
+               default:
+                       break;
                }
+               desc += length;
        }
 
        goto success;
-- 
2.49.0

Reply via email to