From 373ae2e7346b4bcba8837ed87a12741fd7d9c107 Mon Sep 17 00:00:00 2001 From: Yu-Ping Wu Date: Wed, 24 Jun 2020 17:28:22 +0800 Subject: [PATCH] libpayload/cbgfx: Fix overflow in transform_vector() Fix potential overflow when multiplying integers in transform_vector(). This issue is causing the absolute coordinate of the bottom right corner of the box to be incorrectly calculated for draw_rounded_box(), which is used in menu UI to clear the previous screen. In addition, check the lower bound in within_box(). BRANCH=none BUG=b:146399181, b:159772149 TEST=emerge-puff libpayload TEST=Previous screen is cleared properly for menu UI Change-Id: I57845f54e18e5bdbd0d774209ee9632cb860b0c2 Signed-off-by: Yu-Ping Wu Reviewed-on: https://review.coreboot.org/c/coreboot/+/42770 Reviewed-by: Paul Menzel Reviewed-by: Shelley Chen Tested-by: build bot (Jenkins) --- payloads/libpayload/drivers/video/graphics.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/payloads/libpayload/drivers/video/graphics.c b/payloads/libpayload/drivers/video/graphics.c index 81d2bb9e55..13eac28ea5 100644 --- a/payloads/libpayload/drivers/video/graphics.c +++ b/payloads/libpayload/drivers/video/graphics.c @@ -113,22 +113,26 @@ static int transform_vector(struct vector *out, { if (!is_valid_scale(a)) return CBGFX_ERROR_INVALID_PARAMETER; - out->x = a->x.n * in->x / a->x.d + offset->x; - out->y = a->y.n * in->y / a->y.d + offset->y; + out->x = (int64_t)a->x.n * in->x / a->x.d + offset->x; + out->y = (int64_t)a->y.n * in->y / a->y.d + offset->y; return CBGFX_SUCCESS; } /* * Returns 1 if v is exclusively within box, 0 if v is inclusively within box, - * or -1 otherwise. Note that only the right and bottom edges are examined. + * or -1 otherwise. */ static int within_box(const struct vector *v, const struct rect *bound) { - if (v->x < bound->offset.x + bound->size.width && - v->y < bound->offset.y + bound->size.height) + if (v->x > bound->offset.x && + v->y > bound->offset.y && + v->x < bound->offset.x + bound->size.width && + v->y < bound->offset.y + bound->size.height) return 1; - else if (v->x <= bound->offset.x + bound->size.width && - v->y <= bound->offset.y + bound->size.height) + else if (v->x >= bound->offset.x && + v->y >= bound->offset.y && + v->x <= bound->offset.x + bound->size.width && + v->y <= bound->offset.y + bound->size.height) return 0; else return -1;