dm: video: check bounds for column and row

CSI H can be used to position the cursor. The calling application may
specify a location that is beyond the limits of the screen. This may
lead to an illegal memory access.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>

diff --git a/drivers/video/vidconsole-uclass.c b/drivers/video/vidconsole-uclass.c
index f1d3ad36118112759fab46a9ad4670bcb420842f..0c36a5de0ad957389282437d33c8e249c12d861b 100644 (file)
--- a/drivers/video/vidconsole-uclass.c
+++ b/drivers/video/vidconsole-uclass.c
@@ -213,6 +213,14 @@ static void vidconsole_escape_char(struct udevice *dev, char ch)
                s++;    /* ; */
                s = parsenum(s, &col);
 
+               /*
+                * Ensure we stay in the bounds of the screen.
+                */
+               if (row >= priv->rows)
+                       row = priv->rows - 1;
+               if (col >= priv->cols)
+                       col = priv->cols - 1;
+
                priv->ycur = row * priv->y_charsize;
                priv->xcur_frac = priv->xstart_frac +
                        VID_TO_POS(col * priv->x_charsize);