Yu-Ping Wu has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/42770 )
Change subject: libpayload/cbgfx: Fix overflow in transform_vector() ......................................................................
libpayload/cbgfx: Fix overflow in transform_vector()
Fix potential overflow when multiplying integers in transform_vector().
In addition, check the lower bound in within_box().
BRANCH=none BUG=b:146399181, b:159772149 TEST=emerge-puff libpayload TEST=Previous screen is cleared properly for menu UI
Change-Id: I57845f54e18e5bdbd0d774209ee9632cb860b0c2 Signed-off-by: Yu-Ping Wu yupingso@chromium.org --- M payloads/libpayload/drivers/video/graphics.c 1 file changed, 10 insertions(+), 6 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/70/42770/1
diff --git a/payloads/libpayload/drivers/video/graphics.c b/payloads/libpayload/drivers/video/graphics.c index 81d2bb9..7c1e67f 100644 --- a/payloads/libpayload/drivers/video/graphics.c +++ b/payloads/libpayload/drivers/video/graphics.c @@ -113,8 +113,8 @@ { if (!is_valid_scale(a)) return CBGFX_ERROR_INVALID_PARAMETER; - out->x = a->x.n * in->x / a->x.d + offset->x; - out->y = a->y.n * in->y / a->y.d + offset->y; + out->x = (int64_t)a->x.n * in->x / a->x.d + offset->x; + out->y = (int64_t)a->y.n * in->y / a->y.d + offset->y; return CBGFX_SUCCESS; }
@@ -124,11 +124,15 @@ */ static int within_box(const struct vector *v, const struct rect *bound) { - if (v->x < bound->offset.x + bound->size.width && - v->y < bound->offset.y + bound->size.height) + if (v->x > bound->offset.x && + v->y > bound->offset.y && + v->x < bound->offset.x + bound->size.width && + v->y < bound->offset.y + bound->size.height) return 1; - else if (v->x <= bound->offset.x + bound->size.width && - v->y <= bound->offset.y + bound->size.height) + else if (v->x >= bound->offset.x && + v->y >= bound->offset.y && + v->x <= bound->offset.x + bound->size.width && + v->y <= bound->offset.y + bound->size.height) return 0; else return -1;