There seems to be tools producing incorrect 'end of bitmap data' markers '0100' in a RLE bitmap. Drawing such bitmaps can result in overwriting memory above the frame buffer. E.g. on MPC5121e based boards this memory can contain U-Boot environment.
We may not rely on the correct end of bitmap data marker 0001 only, but also have to check whether we are going to draw a valid frame buffer scan line. The patch provides a simple fix by checking the row index: we finish the drawing if the row index becomes negative. Reported-by: Michael Weiss <michael.we...@ifm.com> Signed-off-by: Anatolij Gustschin <ag...@denx.de> Tested-by: Anatolij Gustschin <ag...@denx.de> --- drivers/video/cfb_console.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) diff --git a/drivers/video/cfb_console.c b/drivers/video/cfb_console.c index 3d047f2..599ebdb 100644 --- a/drivers/video/cfb_console.c +++ b/drivers/video/cfb_console.c @@ -938,7 +938,10 @@ static int display_rle8_bitmap (bmp_image_t *img, int xoff, int yoff, /* scan line end marker */ bm += 2; x = 0; - y--; + if (--y < 0) { + decode = 0; + continue; + } fbp = (unsigned char *) ((unsigned int)video_fb_address + (((y + yoff) * VIDEO_COLS) + @@ -952,6 +955,10 @@ static int display_rle8_bitmap (bmp_image_t *img, int xoff, int yoff, /* run offset marker */ x += bm[2]; y -= bm[3]; + if (y < 0) { + decode = 0; + continue; + } fbp = (unsigned char *) ((unsigned int)video_fb_address + (((y + yoff) * VIDEO_COLS) + -- 1.7.1 _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot