Paul Menzel (paulepanter@users.sourceforge.net) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/8227
-gerrit
commit 34d00c203579fe7de4d1f0268367f68b4adf0c26 Author: Zhuo-Hao Lee zhuo-hao.lee@intel.com Date: Wed Dec 24 11:13:34 2014 +0800
device/oprom/realmode/x86: Fix memory corruption
The length of the memcpy is incorrect and this will cause the destination buffer to corrupt the following 2 bytes of data.
BUG=none BRANCH=All TEST=build and boot on rambi, system boot up without error
Change-Id: I96adf2555b01aa35bb38a2e0f221fc2b2e87a41b Signed-off-by: Zhuo-Hao Lee zhuo-hao.lee@intel.com Reviewed-on: https://chromium-review.googlesource.com/237510 Reviewed-by: Ryan Lin ryan.lin@intel.com Reviewed-by: Duncan Laurie dlaurie@chromium.org Signed-off-by: Paul Menzel paulepanter@users.sourceforge.net --- src/device/oprom/realmode/x86.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/device/oprom/realmode/x86.c b/src/device/oprom/realmode/x86.c index fc3c40c..07eb26c 100644 --- a/src/device/oprom/realmode/x86.c +++ b/src/device/oprom/realmode/x86.c @@ -233,7 +233,8 @@ static u8 vbe_get_mode_info(vbe_mode_info_t * mi) u16 buffer_adr = ((unsigned long)buffer) & 0xffff; realmode_interrupt(0x10, VESA_GET_MODE_INFO, 0x0000, mi->video_mode, 0x0000, buffer_seg, buffer_adr); - memcpy(mi->mode_info_block, buffer, sizeof(vbe_mode_info_t)); + memcpy(mi->mode_info_block, buffer, + FIELD_SIZEOF(vbe_mode_info_t, mode_info_block)); mode_info_valid = 1; return 0; }