diff options
author | Yu-Ping Wu <yupingso@chromium.org> | 2020-06-24 17:28:22 +0800 |
---|---|---|
committer | Patrick Georgi <pgeorgi@google.com> | 2020-06-28 21:52:18 +0000 |
commit | 373ae2e7346b4bcba8837ed87a12741fd7d9c107 (patch) | |
tree | 47152fcfc150a38b86e4971aa4d160418da0817f /payloads/libpayload | |
parent | be1ff7eb724bc674eb0f501b4b42675a679adbab (diff) | |
download | coreboot-373ae2e7346b4bcba8837ed87a12741fd7d9c107.tar.xz |
libpayload/cbgfx: Fix overflow in transform_vector()
Fix potential overflow when multiplying integers in transform_vector().
This issue is causing the absolute coordinate of the bottom right corner
of the box to be incorrectly calculated for draw_rounded_box(), which is
used in menu UI to clear the previous screen.
In addition, check the lower bound in within_box().
BRANCH=none
BUG=b:146399181, b:159772149
TEST=emerge-puff libpayload
TEST=Previous screen is cleared properly for menu UI
Change-Id: I57845f54e18e5bdbd0d774209ee9632cb860b0c2
Signed-off-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/42770
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Shelley Chen <shchen@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Diffstat (limited to 'payloads/libpayload')
-rw-r--r-- | payloads/libpayload/drivers/video/graphics.c | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/payloads/libpayload/drivers/video/graphics.c b/payloads/libpayload/drivers/video/graphics.c index 81d2bb9e55..13eac28ea5 100644 --- a/payloads/libpayload/drivers/video/graphics.c +++ b/payloads/libpayload/drivers/video/graphics.c @@ -113,22 +113,26 @@ static int transform_vector(struct vector *out, { if (!is_valid_scale(a)) return CBGFX_ERROR_INVALID_PARAMETER; - out->x = a->x.n * in->x / a->x.d + offset->x; - out->y = a->y.n * in->y / a->y.d + offset->y; + out->x = (int64_t)a->x.n * in->x / a->x.d + offset->x; + out->y = (int64_t)a->y.n * in->y / a->y.d + offset->y; return CBGFX_SUCCESS; } /* * Returns 1 if v is exclusively within box, 0 if v is inclusively within box, - * or -1 otherwise. Note that only the right and bottom edges are examined. + * or -1 otherwise. */ static int within_box(const struct vector *v, const struct rect *bound) { - if (v->x < bound->offset.x + bound->size.width && - v->y < bound->offset.y + bound->size.height) + if (v->x > bound->offset.x && + v->y > bound->offset.y && + v->x < bound->offset.x + bound->size.width && + v->y < bound->offset.y + bound->size.height) return 1; - else if (v->x <= bound->offset.x + bound->size.width && - v->y <= bound->offset.y + bound->size.height) + else if (v->x >= bound->offset.x && + v->y >= bound->offset.y && + v->x <= bound->offset.x + bound->size.width && + v->y <= bound->offset.y + bound->size.height) return 0; else return -1; |