drm/radeon: fix handling of variable sized arrays for router objects
authorAlex Deucher <alexander.deucher@amd.com>
Tue, 27 Aug 2013 16:36:01 +0000 (12:36 -0400)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 1 Oct 2013 16:17:47 +0000 (09:17 -0700)
commit fb93df1c2d8b3b1fb16d6ee9e32554e0c038815d upstream.

The table has the following format:

typedef struct _ATOM_SRC_DST_TABLE_FOR_ONE_OBJECT         //usSrcDstTableOffset pointing to this structure
{
  UCHAR               ucNumberOfSrc;
  USHORT              usSrcObjectID[1];
  UCHAR               ucNumberOfDst;
  USHORT              usDstObjectID[1];
}ATOM_SRC_DST_TABLE_FOR_ONE_OBJECT;

usSrcObjectID[] and usDstObjectID[] are variably sized, so we
can't access them directly.  Use pointers and update the offset
appropriately when accessing the Dst members.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/gpu/drm/radeon/radeon_atombios.c

index f527b6f034c9af959f2d39665623d9ed3d1d2a0e..239a4074f12283eed177f52b87a13f5601f23f50 100644 (file)
@@ -715,13 +715,16 @@ bool radeon_get_atom_connector_info_from_object_table(struct drm_device *dev)
                                                                (ATOM_SRC_DST_TABLE_FOR_ONE_OBJECT *)
                                                                (ctx->bios + data_offset +
                                                                 le16_to_cpu(router_obj->asObjects[k].usSrcDstTableOffset));
+                                                       u8 *num_dst_objs = (u8 *)
+                                                               ((u8 *)router_src_dst_table + 1 +
+                                                                (router_src_dst_table->ucNumberOfSrc * 2));
+                                                       u16 *dst_objs = (u16 *)(num_dst_objs + 1);
                                                        int enum_id;
 
                                                        router.router_id = router_obj_id;
-                                                       for (enum_id = 0; enum_id < router_src_dst_table->ucNumberOfDst;
-                                                            enum_id++) {
+                                                       for (enum_id = 0; enum_id < (*num_dst_objs); enum_id++) {
                                                                if (le16_to_cpu(path->usConnObjectId) ==
-                                                                   le16_to_cpu(router_src_dst_table->usDstObjectID[enum_id]))
+                                                                   le16_to_cpu(dst_objs[enum_id]))
                                                                        break;
                                                        }