From da4b9fe25af12fafd16ea81655ff0a88bac255b9 Mon Sep 17 00:00:00 2001 From: Jani Nikula Date: Tue, 29 Aug 2017 11:34:04 +0300 Subject: tools/intel_vbt_decode: make a copy of child devices before dumping MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Take child device size into account, avoid reading past the actual child device. Acked-by: Ville Syrjälä Signed-off-by: Jani Nikula --- tools/intel_vbt_decode.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) (limited to 'tools/intel_vbt_decode.c') diff --git a/tools/intel_vbt_decode.c b/tools/intel_vbt_decode.c index 948dc29d..499dcb06 100644 --- a/tools/intel_vbt_decode.c +++ b/tools/intel_vbt_decode.c @@ -36,6 +36,7 @@ #include #include +#include "igt_aux.h" #include "intel_io.h" #include "intel_chipset.h" #include "drmtest.h" @@ -475,6 +476,7 @@ static void dump_general_definitions(struct context *context, const struct bdb_block *block) { const struct bdb_general_definitions *defs = block->data; + struct child_device_config *child; int i; int child_device_num; @@ -489,8 +491,22 @@ static void dump_general_definitions(struct context *context, printf("\tChild device size: %d\n", defs->child_dev_size); child_device_num = (block->size - sizeof(*defs)) / defs->child_dev_size; - for (i = 0; i < child_device_num; i++) - dump_child_device(context, (const void*)&defs->devices[i * defs->child_dev_size]); + + /* + * Use a temp buffer so dump_child_device() doesn't have to worry about + * accessing the struct beyond child_dev_size. The tail, if any, remains + * initialized to zero. + */ + child = calloc(1, sizeof(*child)); + + for (i = 0; i < child_device_num; i++) { + memcpy(child, &defs->devices[i * defs->child_dev_size], + min(sizeof(*child), defs->child_dev_size)); + + dump_child_device(context, child); + } + + free(child); } static void dump_legacy_child_devices(struct context *context, -- cgit v1.2.3