fbcon: Add defensive coding to logo loader

6by9 · 6by9 · commit d48f6fd34269 · 2025-10-13T16:53:45.000+01:00
There were various points where the loader was using uninitialised
data, had the potential to run off the end of an array, or was
handling core functions incorrectly. Fix these up.

(It still goes quite badly wrong if the framebuffer isn't
16bpp)

Signed-off-by: Dave Stevenson &lt;dave.stevenson@raspberrypi.com&gt;
diff --git a/drivers/video/fbdev/core/fb_logo.c b/drivers/video/fbdev/core/fb_logo.c
@@ -339,8 +339,8 @@ static void fb_set_logo_from_file(struct fb_info *info, const char *filepath,
 {
 	int current_rows = 0, palette_index = 0, actual_row, skip_x = 0, skip_y = 0, ret;
 	unsigned char *read_logo = NULL, *header;
-	const char *file_content = NULL;
-	const struct firmware *fw;
+	const char *file_content;
+	const struct firmware *fw = NULL;
 	struct image_palette image_palette;
 	const char *current_ptr, *end_ptr;
 	long width = 0, height = 0;
@@ -349,98 +349,108 @@ static void fb_set_logo_from_file(struct fb_info *info, const char *filepath,
 	u8 entry[3];
 	ssize_t len;
 
-	ret = request_firmware(&fw, filepath, info->device);
+	ret = firmware_request_nowarn(&fw, filepath, info->device);
 	if (ret) {
 		pr_info("Failed to load logo file '%s': %d\n", filepath, ret);
 		goto cleanup;
 	}
 	len = fw->size;
 	file_content = fw->data;
 
-	if (len > 0) {
-		current_ptr = file_content;
-		end_ptr = file_content + len;
-		if (len < 18) {
-			pr_err("Invalid logo file: TGA file too small for header\n");
-			goto cleanup;
-		}
-		header = (unsigned char *)file_content;
-
-		// Skip color map info (bytes 3-7)
-		// Skip image origin (bytes 8-11)
-		width = header[12] | (header[13] << 8);
-		height = header[14] | (header[15] << 8);
-
-		// Only supports uncompressed true-color images (type 2) with 24-bit depth
-		if (header[2] != 2 || header[16] != 24) {
-			pr_err("Unsupported TGA logo format: Type=%d, Depth=%d (only support Type=2, Depth=24)\n",
-				header[2], header[16]);
-			goto cleanup;
-		}
-		// Skip header + ID field
-		current_ptr = file_content + 18 + header[0];
+	if (!len) {
+		pr_err("Error: logo TGA file is empty. Not drawing fullscreen logo.\n");
+		goto cleanup;
+	}
 
-		read_logo = kmalloc_array(width, height, GFP_KERNEL);
-		if (!read_logo)
-			goto cleanup;
+	current_ptr = file_content;
+	end_ptr = file_content + len;
+	if (len < 18) {
+		pr_err("Invalid logo file: TGA file too small for header\n");
+		goto cleanup;
+	}
+	header = (unsigned char *)file_content;
 
-		image->data = read_logo;
+	// Skip color map info (bytes 3-7)
+	// Skip image origin (bytes 8-11)
+	width = header[12] | (header[13] << 8);
+	height = header[14] | (header[15] << 8);
 
-		// TGA pixels are stored bottom-to-top by default, unless bit 5 of
-		// image_descriptor is set
-		top_to_bottom = (header[17] & 0x20) != 0;
-		skip_x = 0;
-		skip_y = 0;
+	// Only supports uncompressed true-color images (type 2) with 24-bit depth
+	if (header[2] != 2 || header[16] != 24) {
+		pr_err("Unsupported TGA logo format: Type=%d, Depth=%d (only support Type=2, Depth=24)\n",
+		       header[2], header[16]);
+		goto cleanup;
+	}
+	// Skip header + ID field
+	current_ptr = file_content + 18 + header[0];
 
-		if (image->width > info->var.xres) {
-			pr_info("Logo is larger than screen, clipping horizontally");
-			skip_x = (image->width - info->var.xres) / 2;
-		}
-		if (image->height > info->var.yres) {
-			pr_info("Logo is larger than screen, clipping vertically");
-			skip_y = (image->height - info->var.yres) / 2;
-		}
-		current_ptr += skip_y * width * 3 + skip_x * 3;
-		// Parse pixel data (BGR format in TGA)
-		for (int i = 0; i < height - 2 * skip_y; i++) {
-			for (int j = 0; j < width - 2 * skip_x; j++) {
-				if (current_ptr + 3 > end_ptr) {
-					pr_info("TGA: Unexpected end of file\n");
-					goto cleanup;
-				}
-				B = (unsigned char)*current_ptr++;
-				G = (unsigned char)*current_ptr++;
-				R = (unsigned char)*current_ptr++;
-				entry[0] = R;
-				entry[1] = G;
-				entry[2] = B;
-				palette_index = 0;
-
-				if (!fb_palette_contains_entry(&image_palette, current_rows,
-								entry, 3, &palette_index)) {
+	read_logo = kmalloc_array(width, height, GFP_KERNEL);
+	if (!read_logo)
+		goto cleanup;
+
+	image->data = read_logo;
+
+	// TGA pixels are stored bottom-to-top by default, unless bit 5 of
+	// image_descriptor is set
+	top_to_bottom = (header[17] & 0x20) != 0;
+	skip_x = 0;
+	skip_y = 0;
+
+	if (width > info->var.xres) {
+		pr_info("Logo is larger than screen (%lu vs %u), clipping horizontally\n",
+			width, info->var.xres);
+		skip_x = (width - info->var.xres) / 2;
+	}
+	if (height > info->var.yres) {
+		pr_info("Logo is larger than screen (%lu vs %u), clipping vertically\n",
+			height, info->var.yres);
+		skip_y = (height - info->var.yres) / 2;
+	}
+	current_ptr += skip_y * width * 3 + skip_x * 3;
+	// Parse pixel data (BGR format in TGA)
+	for (int i = 0; i < height - 2 * skip_y; i++) {
+		for (int j = 0; j < width - 2 * skip_x; j++) {
+			if (current_ptr + 3 > end_ptr) {
+				pr_info("TGA: Unexpected end of file\n");
+				goto cleanup;
+			}
+			B = (unsigned char)*current_ptr++;
+			G = (unsigned char)*current_ptr++;
+			R = (unsigned char)*current_ptr++;
+			entry[0] = R;
+			entry[1] = G;
+			entry[2] = B;
+			palette_index = 0;
+
+			if (!fb_palette_contains_entry(&image_palette, current_rows,
+						       entry, 3, &palette_index)) {
+				if (current_rows < 224) {
 					for (int k = 0; k < 3; k++)
-						image_palette.colors[current_rows][k] = entry[k];
+						image_palette.colors[current_rows][k] =
+								entry[k];
 					palette_index = current_rows;
-					current_rows++;
 				}
-				actual_row = top_to_bottom ? i : (height - 1 - i);
-
-				read_logo[actual_row * (width - 2 * skip_x) + j] =
-					palette_index + 32;
+				current_rows++;
 			}
-			current_ptr += skip_x * 3 * 2;
+			actual_row = top_to_bottom ? i : (height - 1 - i);
+
+			read_logo[actual_row * (width - 2 * skip_x) + j] =
+				palette_index + 32;
 		}
+		current_ptr += skip_x * 3 * 2;
+	}
 
-		// Set logo palette
-		palette = kmalloc(256 * 4, GFP_KERNEL);
-		if (palette == NULL)
-			goto cleanup;
-		fb_set_logo_RGB_palette(&image_palette, palette, current_rows);
-		info->pseudo_palette = palette;
+	if (current_rows >= 224)
+		pr_err("Palette overflow. Entries clipped\n");
 
-	} else {
-		pr_err("Error: logo TGA file is empty. Not drawing fullscreen logo.\n");
-	}
+	// Set logo palette
+	palette = kzalloc(256 * 4, GFP_KERNEL);
+	if (!palette)
+		goto cleanup;
+	fb_set_logo_RGB_palette(&image_palette, palette, current_rows);
+	if (info->pseudo_palette)
+		memcpy(palette, info->pseudo_palette, 32 * sizeof(uint16_t));
+	info->pseudo_palette = palette;
 
 	image->width = min_t(unsigned int, width, info->var.xres);
 	image->height = min_t(unsigned int, height, info->var.yres);
@@ -455,8 +465,7 @@ static void fb_set_logo_from_file(struct fb_info *info, const char *filepath,
 
 cleanup:
 	kfree(read_logo);
-	if (file_content)
-		kvfree(file_content);
+	release_firmware(fw);
 }
 
 
