From d92137adaba2898c86d696859c7c33f0a3bd7cbb Mon Sep 17 00:00:00 2001 From: Jacob Garber Date: Mon, 15 Jul 2019 13:48:41 -0600 Subject: [PATCH] nb/via/vx900: Ensure framebuffer size is within limits - Use log2() when rounding down size_mb to the closest power of 2. Do a sanity check beforehand that size_mb is nonzero, else log2() will return -1 and there will be an undefined integer shift. - The framebuffer size needs to be between 8 and 512 MiB, so check after all the calculations are done to make sure this is the case. Change-Id: I3962e5cdc094c8da22d8dbadf16637e02fa98689 Signed-off-by: Jacob Garber Found-by: Coverity CID 1391086 Reviewed-on: https://review.coreboot.org/c/coreboot/+/34355 Tested-by: build bot (Jenkins) Reviewed-by: Nico Huber --- src/northbridge/via/vx900/memmap.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/northbridge/via/vx900/memmap.c b/src/northbridge/via/vx900/memmap.c index 0c3b7bfc76..d11dc65fd6 100644 --- a/src/northbridge/via/vx900/memmap.c +++ b/src/northbridge/via/vx900/memmap.c @@ -21,6 +21,7 @@ #include #include #include +#include #include "vx900.h" @@ -78,12 +79,16 @@ void vx900_set_chrome9hd_fb_size(u32 size_mb) size_mb = max_size_mb; } - /* Now round the framebuffer size to the closest power of 2 */ - u8 fb_pow = 0; - while (size_mb >> fb_pow) - fb_pow++; - fb_pow--; - size_mb = (1 << fb_pow); + /* Now round down the framebuffer size to the closest power of 2 */ + if (size_mb == 0) + die("Framebuffer size is 0\n"); + + int fb_pow = log2(size_mb); + + size_mb = 1U << fb_pow; + + if (size_mb < CHROME_9_HD_MIN_FB_SIZE || size_mb > CHROME_9_HD_MAX_FB_SIZE) + die("Framebuffer size %u is out of range\n", size_mb); pci_update_config8(MCU, 0xa1, ~(7 << 4), (fb_pow - 2) << 4); }