summaryrefslogtreecommitdiff
path: root/payloads/libpayload/drivers/video
diff options
context:
space:
mode:
authorYu-Ping Wu <yupingso@chromium.org>2020-06-24 17:28:22 +0800
committerPatrick Georgi <pgeorgi@google.com>2020-06-28 21:52:18 +0000
commit373ae2e7346b4bcba8837ed87a12741fd7d9c107 (patch)
tree47152fcfc150a38b86e4971aa4d160418da0817f /payloads/libpayload/drivers/video
parentbe1ff7eb724bc674eb0f501b4b42675a679adbab (diff)
downloadcoreboot-373ae2e7346b4bcba8837ed87a12741fd7d9c107.tar.xz
libpayload/cbgfx: Fix overflow in transform_vector()
Fix potential overflow when multiplying integers in transform_vector(). This issue is causing the absolute coordinate of the bottom right corner of the box to be incorrectly calculated for draw_rounded_box(), which is used in menu UI to clear the previous screen. In addition, check the lower bound in within_box(). BRANCH=none BUG=b:146399181, b:159772149 TEST=emerge-puff libpayload TEST=Previous screen is cleared properly for menu UI Change-Id: I57845f54e18e5bdbd0d774209ee9632cb860b0c2 Signed-off-by: Yu-Ping Wu <yupingso@chromium.org> Reviewed-on: https://review.coreboot.org/c/coreboot/+/42770 Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net> Reviewed-by: Shelley Chen <shchen@google.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Diffstat (limited to 'payloads/libpayload/drivers/video')
-rw-r--r--payloads/libpayload/drivers/video/graphics.c18
1 files changed, 11 insertions, 7 deletions
diff --git a/payloads/libpayload/drivers/video/graphics.c b/payloads/libpayload/drivers/video/graphics.c
index 81d2bb9e55..13eac28ea5 100644
--- a/payloads/libpayload/drivers/video/graphics.c
+++ b/payloads/libpayload/drivers/video/graphics.c
@@ -113,22 +113,26 @@ static int transform_vector(struct vector *out,
{
if (!is_valid_scale(a))
return CBGFX_ERROR_INVALID_PARAMETER;
- out->x = a->x.n * in->x / a->x.d + offset->x;
- out->y = a->y.n * in->y / a->y.d + offset->y;
+ out->x = (int64_t)a->x.n * in->x / a->x.d + offset->x;
+ out->y = (int64_t)a->y.n * in->y / a->y.d + offset->y;
return CBGFX_SUCCESS;
}
/*
* Returns 1 if v is exclusively within box, 0 if v is inclusively within box,
- * or -1 otherwise. Note that only the right and bottom edges are examined.
+ * or -1 otherwise.
*/
static int within_box(const struct vector *v, const struct rect *bound)
{
- if (v->x < bound->offset.x + bound->size.width &&
- v->y < bound->offset.y + bound->size.height)
+ if (v->x > bound->offset.x &&
+ v->y > bound->offset.y &&
+ v->x < bound->offset.x + bound->size.width &&
+ v->y < bound->offset.y + bound->size.height)
return 1;
- else if (v->x <= bound->offset.x + bound->size.width &&
- v->y <= bound->offset.y + bound->size.height)
+ else if (v->x >= bound->offset.x &&
+ v->y >= bound->offset.y &&
+ v->x <= bound->offset.x + bound->size.width &&
+ v->y <= bound->offset.y + bound->size.height)
return 0;
else
return -1;