There seems to be tools producing incorrect 'end of bitmap data'
markers '0100' in a RLE bitmap. Drawing such bitmaps can result
in overwriting memory above the frame buffer. E.g. on MPC5121e
based boards this memory can contain U-Boot environment.
We may not rely on the correct end of bitmap data marker 0001
only, but also have to check whether we are going to draw a
valid frame buffer scan line.
The patch provides a simple fix by checking the row index:
we finish the drawing if the row index becomes negative.
Reported-by: Michael Weiss <michael.we...@ifm.com>
Signed-off-by: Anatolij Gustschin <ag...@denx.de>
Tested-by: Anatolij Gustschin <ag...@denx.de>
---
drivers/video/cfb_console.c | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/drivers/video/cfb_console.c b/drivers/video/cfb_console.c
index 3d047f2..599ebdb 100644
--- a/drivers/video/cfb_console.c
+++ b/drivers/video/cfb_console.c
@@ -938,7 +938,10 @@ static int display_rle8_bitmap (bmp_image_t *img, int
xoff, int yoff,
/* scan line end marker */
bm += 2;
x = 0;
- y--;
+ if (--y < 0) {
+ decode = 0;
+ continue;
+ }
fbp = (unsigned char *)
((unsigned int)video_fb_address +
(((y + yoff) * VIDEO_COLS) +
@@ -952,6 +955,10 @@ static int display_rle8_bitmap (bmp_image_t *img, int
xoff, int yoff,
/* run offset marker */
x += bm[2];
y -= bm[3];
+ if (y < 0) {
+ decode = 0;
+ continue;
+ }
fbp = (unsigned char *)
((unsigned int)video_fb_address +
(((y + yoff) * VIDEO_COLS) +
--
1.7.1
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
http://lists.denx.de/mailman/listinfo/u-boot
