Patrick Georgi merged this change.

View Change

nb/intel/{gm45,i945,x4x}: Correct array bounds checks

There will be an out of bounds read if the index is equal
to the array size. Fix the checks to exclude this case.

Found-by: Coverity Scan, CID 1347350, 1347351
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Change-Id: I5b4e8febb68dfd244faf597dfe5cdf509af7a2ae
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32244
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
---
M src/northbridge/intel/gm45/ram_calc.c
M src/northbridge/intel/i945/ram_calc.c
M src/northbridge/intel/x4x/ram_calc.c
3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/northbridge/intel/gm45/ram_calc.c b/src/northbridge/intel/gm45/ram_calc.c
index c72055f..c1307c4 100644
--- a/src/northbridge/intel/gm45/ram_calc.c
+++ b/src/northbridge/intel/gm45/ram_calc.c
@@ -39,7 +39,7 @@
 	static const u16 ggc2uma[] = { 0, 1, 4, 8, 16, 32, 48, 64, 128, 256,
 				       96, 160, 224, 352 };
 
-	if (gms > ARRAY_SIZE(ggc2uma))
+	if (gms >= ARRAY_SIZE(ggc2uma))
 		die("Bad Graphics Mode Select (GMS) setting.\n");
 
 	return ggc2uma[gms] << 10;
diff --git a/src/northbridge/intel/i945/ram_calc.c b/src/northbridge/intel/i945/ram_calc.c
index 124a6a8..752c8f9 100644
--- a/src/northbridge/intel/i945/ram_calc.c
+++ b/src/northbridge/intel/i945/ram_calc.c
@@ -82,7 +82,7 @@
 	static const u16 ggc2uma[] = { 0, 1, 4, 8, 16, 32,
 			48, 64 };
 
-	if (gms > ARRAY_SIZE(ggc2uma))
+	if (gms >= ARRAY_SIZE(ggc2uma))
 		die("Bad Graphics Mode Select (GMS) setting.\n");
 
 	return ggc2uma[gms] << 10;
diff --git a/src/northbridge/intel/x4x/ram_calc.c b/src/northbridge/intel/x4x/ram_calc.c
index 8f9d739..3714969 100644
--- a/src/northbridge/intel/x4x/ram_calc.c
+++ b/src/northbridge/intel/x4x/ram_calc.c
@@ -36,7 +36,7 @@
 	static const u16 ggc2uma[] = { 0, 1, 4, 8, 16,
 			32, 48, 64, 128, 256, 96, 160, 224, 352 };
 
-	if (gms > ARRAY_SIZE(ggc2uma))
+	if (gms >= ARRAY_SIZE(ggc2uma))
 		die("Bad Graphics Mode Select (GMS) setting.\n");
 
 	return ggc2uma[gms] << 10;
@@ -47,7 +47,7 @@
 {
 	static const u8 ggc2gtt[] = { 0, 1, 0, 2, 0, 0, 0, 0, 0, 2, 3, 4};
 
-	if (gsm > ARRAY_SIZE(ggc2gtt))
+	if (gsm >= ARRAY_SIZE(ggc2gtt))
 		die("Bad GTT Graphics Memory Size (GGMS) setting.\n");
 
 	return ggc2gtt[gsm] << 10;

To view, visit change 32244. To unsubscribe, or for help writing mail filters, visit settings.