Re: drivers/video/aty/atyfb_base.c: array overruns
From: syrjala
Date: Sat Mar 31 2007 - 10:45:54 EST
On Sat, Mar 31, 2007 at 09:23:29AM +0800, Antonino A. Daplas wrote:
> On Mon, 2007-03-19 at 10:22 +0100, Adrian Bunk wrote:
> > The Coverity checker spotted the following two array overruns in
> > drivers/video/aty/atyfb_base.c:
> >
> > <-- snip -->
> >
> > ...
> > static const u32 lt_lcd_regs[] = {
> > CONFIG_PANEL_LG,
> > LCD_GEN_CNTL_LG,
> > DSTN_CONTROL_LG,
> > HFB_PITCH_ADDR_LG,
> > HORZ_STRETCHING_LG,
> > VERT_STRETCHING_LG,
> > 0, /* EXT_VERT_STRETCH */
> > LT_GIO_LG,
> > POWER_MANAGEMENT_LG
> > };
>
> We can pad this array with zeroes, as a stop-gap measure. Ville, what do
> you think?
Actually this array overrun can never happen. LCD_MISC_CNTL is accessed
in the in the pmac backlight code and the backlight device is not
registered for the Rage LT chip (only user of lt_lcd_regs[]).
> >
> > void aty_st_lcd(int index, u32 val, const struct atyfb_par *par)
> > {
> > if (M64_HAS(LT_LCD_REGS)) {
> > aty_st_le32(lt_lcd_regs[index], val, par);
> > ...
> > }
> > ...
> > u32 aty_ld_lcd(int index, const struct atyfb_par *par)
> > {
> > if (M64_HAS(LT_LCD_REGS)) {
> > return aty_ld_le32(lt_lcd_regs[index], par);
> > ...
> > }
> > ...
> > static int aty_bl_update_status(struct backlight_device *bd)
> > {
> > struct atyfb_par *par = class_get_devdata(&bd->class_dev);
> > unsigned int reg = aty_ld_lcd(LCD_MISC_CNTL, par);
> > ...
> > aty_st_lcd(LCD_MISC_CNTL, reg, par);
> >
> > return 0;
> > }
> > ...
> >
> > <-- snip -->
> >
> > LCD_MISC_CNTL = 0x14 = 20 > 8
> >
> > cu
> > Adrian
> >
>
--
Ville Syrjälä
syrjala@xxxxxx
http://www.sci.fi/~syrjala/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/