From 9d348d24809c2429fbdae277af6b185413cef9b6 Mon Sep 17 00:00:00 2001
From: Alan Kwong <akwong@codeaurora.org>
Date: Fri, 21 Apr 2017 13:14:33 -0700
Subject: [PATCH] drm/msm/sde: correct out of bound access in catalog

Correct validate function to use proper size clearing
property count array.
Correct copy format function to check bound before
accessing array element.

CRs-Fixed: 2037027
Change-Id: Ied3a8e91eb4e6c2c19632b8f83b35d94d1773bb1
Signed-off-by: Alan Kwong <akwong@codeaurora.org>
---
 drivers/gpu/drm/msm/sde/sde_hw_catalog.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/msm/sde/sde_hw_catalog.c b/drivers/gpu/drm/msm/sde/sde_hw_catalog.c
index 4f84e31db5f6..eb398fbee816 100644
--- a/drivers/gpu/drm/msm/sde/sde_hw_catalog.c
+++ b/drivers/gpu/drm/msm/sde/sde_hw_catalog.c
@@ -428,8 +428,8 @@ static uint32_t _sde_copy_formats(
 		return 0;
 
 	for (i = 0, cur_pos = dst_list_pos;
-		(cur_pos < (dst_list_size - 1)) && src_list[i].fourcc_format
-		&& (i < src_list_size); ++i, ++cur_pos)
+		(cur_pos < (dst_list_size - 1)) && (i < src_list_size)
+		&& src_list[i].fourcc_format; ++i, ++cur_pos)
 		dst_list[cur_pos] = src_list[i];
 
 	dst_list[cur_pos].fourcc_format = 0;
@@ -503,6 +503,7 @@ static int _validate_dt_entry(struct device_node *np,
 				rc = -EINVAL;
 			}
 			*off_count = 0;
+			memset(prop_count, 0, sizeof(int) * prop_size);
 			return rc;
 		}
 	}