[U-Boot] [PATCH] cfb_console: fix RLE bitmap drawing code

[Anatolij Gustschin]

There seems to be tools producing incorrect 'end of bitmap data'
markers '0100' in a RLE bitmap. Drawing such bitmaps can result
in overwriting memory above the frame buffer. E.g. on MPC5121e
based boards this memory can contain U-Boot environment.

We may not rely on the correct end of bitmap data marker 0001
only, but also have to check whether we are going to draw a
valid frame buffer scan line.

The patch provides a simple fix by checking the row index:
we finish the drawing if the row index becomes negative.

Reported-by: Michael Weiss <michael.weiss at ifm.com>
Signed-off-by: Anatolij Gustschin <agust at denx.de>
Tested-by: Anatolij Gustschin <agust at denx.de>
---
 drivers/video/cfb_console.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/drivers/video/cfb_console.c b/drivers/video/cfb_console.c
index 3d047f2..599ebdb 100644
--- a/drivers/video/cfb_console.c
+++ b/drivers/video/cfb_console.c
@@ -938,7 +938,10 @@ static int display_rle8_bitmap (bmp_image_t *img, int xoff, int yoff,
 				/* scan line end marker */
 				bm += 2;
 				x = 0;
-				y--;
+				if (--y < 0) {
+					decode = 0;
+					continue;
+				}
 				fbp = (unsigned char *)
 					((unsigned int)video_fb_address +
 					 (((y + yoff) * VIDEO_COLS) +
@@ -952,6 +955,10 @@ static int display_rle8_bitmap (bmp_image_t *img, int xoff, int yoff,
 				/* run offset marker */
 				x += bm[2];
 				y -= bm[3];
+				if (y < 0) {
+					decode = 0;
+					continue;
+				}
 				fbp = (unsigned char *)
 					((unsigned int)video_fb_address +
 					 (((y + yoff) * VIDEO_COLS) +
-- 
1.7.1