drm/i915/dmc: explicitly sanitize num_entries from package_header

num_entries comes from package_header, which is read from an external
firmware blob and thus untrusted.  In parse_dmc_fw_package() we assign
package_header->num_entries to a local variable, but the range check
still uses the struct field directly.

Switch the check to use the local copy instead.  This makes the
sanitization explicit and avoids a redundant dereference.

Reviewed-by: Mitul Golani <mitulkumar.ajitkumar.golani@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/20250909083042.1292672-1-luciano.coelho@intel.com

diff --git a/drivers/gpu/drm/i915/display/intel_dmc.c b/drivers/gpu/drm/i915/display/intel_dmc.c
index 77a0199f9ea5f1a4d84c820e07127ed80f04080c..517bebb0b4aac9471241447f90aee9ca9bdca765 100644 (file)
--- a/drivers/gpu/drm/i915/display/intel_dmc.c
+++ b/drivers/gpu/drm/i915/display/intel_dmc.c
@@ -1141,7 +1141,7 @@ parse_dmc_fw_package(struct intel_dmc *dmc,
        }
 
        num_entries = package_header->num_entries;
-       if (WARN_ON(package_header->num_entries > max_entries))
+       if (WARN_ON(num_entries > max_entries))
                num_entries = max_entries;
 
        fw_info = (const struct intel_fw_info *)