From e01b7f904089b4db040e2d1dd6b3788c648c1a33 Mon Sep 17 00:00:00 2001 From: Brian Zhu Date: Sat, 1 Sep 2018 02:10:02 +0800 Subject: [PATCH] osd: fix access disp_rect memory out-of-bounds by KASAN scan PD#172933: osd: fix access disp_rect memory out-of-bounds by KASAN scan KASAN log: BUG: KASAN: global-out-of-bounds in osd_notify_callback+0x1e8/0x5f0 Read of size 4 at addr ffffff900c8e91a0 by task HwBinder:3063_2/3163 Change-Id: Icbea6a91da73919a09d37295660fb029e1de8488 Signed-off-by: Brian Zhu --- drivers/amlogic/media/osd/osd_fb.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/amlogic/media/osd/osd_fb.c b/drivers/amlogic/media/osd/osd_fb.c index 2e2cf923c305..c409d45a165e 100644 --- a/drivers/amlogic/media/osd/osd_fb.c +++ b/drivers/amlogic/media/osd/osd_fb.c @@ -1716,6 +1716,11 @@ int osd_notify_callback(struct notifier_block *block, unsigned long cmd, for (i = 0; i < osd_meson_dev.osd_count; i++) { if (!disp_rect) break; + + /* vout serve send only two layer axis */ + if (i >= 2) + break; + fb_dev = gp_fbdev_list[i]; /* * if osd layer preblend, @@ -1823,7 +1828,6 @@ int osd_notify_callback_viu2(struct notifier_block *block, unsigned long cmd, fb_dev->osd_ctl.disp_end_y = fb_dev->osd_ctl.disp_start_y + disp_rect->h - 1; - disp_rect++; osd_log_dbg("new disp axis: x0:%d y0:%d x1:%d y1:%d\n", fb_dev->osd_ctl.disp_start_x, fb_dev->osd_ctl.disp_start_y,