Patrick Georgi has submitted this change. ( https://review.coreboot.org/c/coreboot/+/42770 )
Change subject: libpayload/cbgfx: Fix overflow in transform_vector() ......................................................................
libpayload/cbgfx: Fix overflow in transform_vector()
Fix potential overflow when multiplying integers in transform_vector(). This issue is causing the absolute coordinate of the bottom right corner of the box to be incorrectly calculated for draw_rounded_box(), which is used in menu UI to clear the previous screen.
In addition, check the lower bound in within_box().
BRANCH=none BUG=b:146399181, b:159772149 TEST=emerge-puff libpayload TEST=Previous screen is cleared properly for menu UI
Change-Id: I57845f54e18e5bdbd0d774209ee9632cb860b0c2 Signed-off-by: Yu-Ping Wu yupingso@chromium.org Reviewed-on: https://review.coreboot.org/c/coreboot/+/42770 Reviewed-by: Paul Menzel paulepanter@users.sourceforge.net Reviewed-by: Shelley Chen shchen@google.com Tested-by: build bot (Jenkins) no-reply@coreboot.org --- M payloads/libpayload/drivers/video/graphics.c 1 file changed, 11 insertions(+), 7 deletions(-)
Approvals: build bot (Jenkins): Verified Paul Menzel: Looks good to me, but someone else must approve Shelley Chen: Looks good to me, approved
diff --git a/payloads/libpayload/drivers/video/graphics.c b/payloads/libpayload/drivers/video/graphics.c index 81d2bb9..13eac28 100644 --- a/payloads/libpayload/drivers/video/graphics.c +++ b/payloads/libpayload/drivers/video/graphics.c @@ -113,22 +113,26 @@ { if (!is_valid_scale(a)) return CBGFX_ERROR_INVALID_PARAMETER; - out->x = a->x.n * in->x / a->x.d + offset->x; - out->y = a->y.n * in->y / a->y.d + offset->y; + out->x = (int64_t)a->x.n * in->x / a->x.d + offset->x; + out->y = (int64_t)a->y.n * in->y / a->y.d + offset->y; return CBGFX_SUCCESS; }
/* * Returns 1 if v is exclusively within box, 0 if v is inclusively within box, - * or -1 otherwise. Note that only the right and bottom edges are examined. + * or -1 otherwise. */ static int within_box(const struct vector *v, const struct rect *bound) { - if (v->x < bound->offset.x + bound->size.width && - v->y < bound->offset.y + bound->size.height) + if (v->x > bound->offset.x && + v->y > bound->offset.y && + v->x < bound->offset.x + bound->size.width && + v->y < bound->offset.y + bound->size.height) return 1; - else if (v->x <= bound->offset.x + bound->size.width && - v->y <= bound->offset.y + bound->size.height) + else if (v->x >= bound->offset.x && + v->y >= bound->offset.y && + v->x <= bound->offset.x + bound->size.width && + v->y <= bound->offset.y + bound->size.height) return 0; else return -1;