From 575ec8902e61ea82bbe8639c1f5a29997b88dd8c Mon Sep 17 00:00:00 2001
From: Thomas Jarosch <tomj@simonv.com>
Date: Sat, 20 Dec 2014 14:47:09 +0100
Subject: mini2440: Fix bogus buffer access in LCD backlight driver

The backlight driver always writes a bogus value
from memory into the LCD brightness register.

Fix it up by adding bounds checks and
use a more sane default value.

While looking at the code, I noticed
that BACKLIGHT_CONTROL_SET probably ignores
the desired brightness level, too.

Note: Please test on real hardware, I don't own it.

cppcheck reported:
[rockbox/firmware/target/arm/s3c2440/mini2440/backlight-mini2440.c:53]: (error) Array 'log_brightness[13]' accessed at index 255, which is out of bounds.

Change-Id: Iaafa929a8adaa97b93ebcb66e1f6bd3bf0dad84e
---
 firmware/target/arm/s3c2440/mini2440/backlight-mini2440.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/firmware/target/arm/s3c2440/mini2440/backlight-mini2440.c b/firmware/target/arm/s3c2440/mini2440/backlight-mini2440.c
index a9e003b80a..b39bfc4949 100644
--- a/firmware/target/arm/s3c2440/mini2440/backlight-mini2440.c
+++ b/firmware/target/arm/s3c2440/mini2440/backlight-mini2440.c
@@ -48,6 +48,11 @@ static unsigned char backlight_target;
 /* Assumes that the backlight has been initialized */
 void _backlight_set_brightness(int brightness)
 {
+    if (brightness < 0)
+        brightness = 0;
+    else if(brightness > MAX_BRIGHTNESS_SETTING)
+        brightness = MAX_BRIGHTNESS_SETTING;
+
     /* stop the interrupt from messing us up */
     backlight_control = BACKLIGHT_CONTROL_IDLE;
     _backlight_brightness = log_brightness[brightness];
@@ -85,11 +90,14 @@ static void led_control_service(void)
             backlight_control = BACKLIGHT_CONTROL_IDLE;
             break;
         case BACKLIGHT_CONTROL_ON:
-            _backlight_set_brightness(255);
+            _backlight_set_brightness(DEFAULT_BRIGHTNESS_SETTING);
             backlight_control = BACKLIGHT_CONTROL_IDLE;
             break;
         case BACKLIGHT_CONTROL_SET:
-            _backlight_set_brightness(255);
+            /* TODO: This is probably wrong since it sets a fixed value.
+            It was a fixed value of 255 before, but that was even more wrong
+            since it accessed the log_brightness buffer out of bounds */
+            _backlight_set_brightness(DEFAULT_BRIGHTNESS_SETTING);
             backlight_control = BACKLIGHT_CONTROL_IDLE;
             break;
         case BACKLIGHT_CONTROL_FADE:
-- 
cgit v1.2.3