fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()

Sergey Shtylyov · hdeller · commit 3f6dae09fc8c · 2025-05-31T10:24:02.000+02:00
In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's then passed to fb_cvt_hperiod(), where it's used as a divider -- division by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to avoid such overflow... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Fixes: 96fe6a2 ("[PATCH] fbdev: Add VESA Coordinated Video Timings (CVT) support") Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru> Signed-off-by: Helge Deller <deller@gmx.de>
diff --git a/drivers/video/fbdev/core/fbcvt.c b/drivers/video/fbdev/core/fbcvt.c
@@ -312,7 +312,7 @@ int fb_find_mode_cvt(struct fb_videomode *mode, int margins, int rb)
 	cvt.f_refresh = cvt.refresh;
 	cvt.interlace = 1;
 
-	if (!cvt.xres || !cvt.yres || !cvt.refresh) {
+	if (!cvt.xres || !cvt.yres || !cvt.refresh || cvt.f_refresh > INT_MAX) {
 		printk(KERN_INFO "fbcvt: Invalid input parameters\n");
 		return 1;
 	}

Original file line number	Diff line number	Diff line change
`@@ -312,7 +312,7 @@ int fb_find_mode_cvt(struct fb_videomode *mode, int margins, int rb)`
`312`	`312`	`cvt.f_refresh = cvt.refresh;`
`313`	`313`	`cvt.interlace = 1;`
`314`	`314`
`315`		`- if (!cvt.xres \|\| !cvt.yres \|\| !cvt.refresh) {`
	`315`	`+ if (!cvt.xres \|\| !cvt.yres \|\| !cvt.refresh \|\| cvt.f_refresh > INT_MAX) {`
`316`	`316`	`printk(KERN_INFO "fbcvt: Invalid input parameters\n");`
`317`	`317`	`return 1;`
`318`	`318`	`}`