Commit db794445 authored Sep 09, 2025 by Luca Coelho

drm/i915/dmc: explicitly sanitize num_entries from package_header

num_entries comes from package_header, which is read from an external
firmware blob and thus untrusted. In parse_dmc_fw_package() we assign
package_header->num_entries to a local variable, but the range check
still uses the struct field directly.

Switch the check to use the local copy instead. This makes the
sanitization explicit and avoids a redundant dereference.

Reviewed-by: Mitul Golani <mitulkumar.ajitkumar.golani@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/20250909083042.1292672-1-luciano.coelho@intel.com

parent cef58ce5

drivers/gpu/drm/i915/display/intel_dmc.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1141,7 +1141,7 @@ parse_dmc_fw_package(struct intel_dmc *dmc,
		}

		num_entries = package_header->num_entries;
		if (WARN_ON(package_header->num_entries > max_entries))
		if (WARN_ON(num_entries > max_entries))
		num_entries = max_entries;

		fw_info = (const struct intel_fw_info *)