drm/i915/bios: double check array-boundary in parse_sdvo_lvds_data

During static analysis, a concern was raised that we may access the
dtd->dtd[] array out of bounds, because we are not checking whether
the index we use is larger than the array.

This should not be a problem as is, because the enumeration that is
used for this index comes from "panel_type", which uses an enumeration
with 4 items.  But if this enumeration is ever changed, it can lead to
hard-to-detect bugs, so better double-check it before using it as an
index to the array.

Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240528112901.476068-2-luciano.coelho@intel.com

diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
index b0a49b2f957f5eb44614069b38622dc45811fce2..128fe9250f4001b3892ac25028556337159f91f8 100644 (file)
--- a/drivers/gpu/drm/i915/display/intel_bios.c
+++ b/drivers/gpu/drm/i915/display/intel_bios.c
@@ -1120,6 +1120,18 @@ parse_sdvo_lvds_data(struct drm_i915_private *i915,
        if (!dtd)
                return;
 
+       /*
+        * This should not happen, as long as the panel_type
+        * enumeration doesn't grow over 4 items.  But if it does, it
+        * could lead to hard-to-detect bugs, so better double-check
+        * it here to be sure.
+        */
+       if (index >= ARRAY_SIZE(dtd->dtd)) {
+               drm_err(&i915->drm, "index %d is larger than dtd->dtd[4] array\n",
+                       index);
+               return;
+       }
+
        panel_fixed_mode = kzalloc(sizeof(*panel_fixed_mode), GFP_KERNEL);
        if (!panel_fixed_mode)
                return;