Commit 114094c8 authored by Hans de Goede's avatar Hans de Goede Committed by Greg Kroah-Hartman
Browse files

staging: vboxvideo: Fix NULL ptr deref in vbox_set_up_input_mapping() 



When vbox_set_up_input_mapping() gets called the first crtc might be
disable and not have a fb at all, triggering a NUL ptr deref at:

			vbox->input_mapping_width = CRTC_FB(crtci)->width;

Instead of using the fb from the crtc with id 0, just use the fb from
the first crtc with a fb. This is in the single_framebuffer = true path,
so all crtc-s point to the same fb anyways.

Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 0fdda2ce

drivers/staging/vboxvideo/vbox_mode.c

+4 −4
Original line number Diff line number Diff line
@@ -189,17 +189,17 @@ static bool vbox_set_up_input_mapping(struct vbox_private *vbox) 
		}

	}

	if (single_framebuffer) {

		vbox->single_framebuffer = true;

		list_for_each_entry(crtci, &vbox->ddev.mode_config.crtc_list,

				    head) {

			if (to_vbox_crtc(crtci)->crtc_id != 0)

			if (!CRTC_FB(crtci))

				continue;



			vbox->single_framebuffer = true;

			vbox->input_mapping_width = CRTC_FB(crtci)->width;

			vbox->input_mapping_height = CRTC_FB(crtci)->height;

			return old_single_framebuffer !=

			       vbox->single_framebuffer;

			break;

		}

		return old_single_framebuffer != vbox->single_framebuffer;

	}

	/* Otherwise calculate the total span of all screens. */

	list_for_each_entry(connectori, &vbox->ddev.mode_config.connector_list,

CRA Git | Maintained and supported by SUSTech CRA and CCSE