From 672b87bfaa8695f0c5c22f11954e29e5c9800b25 Mon Sep 17 00:00:00 2001
From: jsg <jsg@openbsd.org>
Date: Thu, 15 Jun 2023 02:48:26 +0000
Subject: [PATCH] drm/displayid: add displayid_get_header() and check bounds
 better

From Jani Nikula
4b17053ba268bf952c19ecb58d66d5d72e782d13 in linux-6.1.y/6.1.30
5bacecc3c56131c31f18b23d366f2184328fd9cf in mainline linux
---
 sys/dev/pci/drm/drm_displayid.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/sys/dev/pci/drm/drm_displayid.c b/sys/dev/pci/drm/drm_displayid.c
index 38ea8203df4..7d03159dc14 100644
--- a/sys/dev/pci/drm/drm_displayid.c
+++ b/sys/dev/pci/drm/drm_displayid.c
@@ -7,13 +7,28 @@
 #include <drm/drm_edid.h>
 #include <drm/drm_print.h>
 
+static const struct displayid_header *
+displayid_get_header(const u8 *displayid, int length, int index)
+{
+	const struct displayid_header *base;
+
+	if (sizeof(*base) > length - index)
+		return ERR_PTR(-EINVAL);
+
+	base = (const struct displayid_header *)&displayid[index];
+
+	return base;
+}
+
 static int validate_displayid(const u8 *displayid, int length, int idx)
 {
 	int i, dispid_length;
 	u8 csum = 0;
 	const struct displayid_header *base;
 
-	base = (const struct displayid_header *)&displayid[idx];
+	base = displayid_get_header(displayid, length, idx);
+	if (IS_ERR(base))
+		return PTR_ERR(base);
 
 	DRM_DEBUG_KMS("base revision 0x%x, length %d, %d %d\n",
 		      base->rev, base->bytes, base->prod_id, base->ext_count);
-- 
2.20.1