mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-29 23:53:32 +00:00
drm: fix division-by-zero on dumb_create()
Kinda unexpected, but DIV_ROUND_UP() can overflow if passed an argument bigger than UINT_MAX - DIVISOR. Fix this by testing for "!cpp" before using it in the following division. Note that DIV_ROUND_UP() is defined as: #define DIV_ROUND_UP(n,d) (((n) + (d) - 1) / (d)) ..this will obviously overflow if (n + d - 1) is bigger than UINT_MAX. Reported-by: Tommi Rantala <tt.rantala@gmail.com> Signed-off-by: David Herrmann <dh.herrmann@gmail.com> Reviewed-by: Rob Clark <robdclark@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
This commit is contained in:
parent
4d6923733f
commit
00e7208997
1 changed files with 2 additions and 1 deletions
|
@ -4696,8 +4696,9 @@ int drm_mode_create_dumb_ioctl(struct drm_device *dev,
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
/* overflow checks for 32bit size calculations */
|
/* overflow checks for 32bit size calculations */
|
||||||
|
/* NOTE: DIV_ROUND_UP() can overflow */
|
||||||
cpp = DIV_ROUND_UP(args->bpp, 8);
|
cpp = DIV_ROUND_UP(args->bpp, 8);
|
||||||
if (cpp > 0xffffffffU / args->width)
|
if (!cpp || cpp > 0xffffffffU / args->width)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
stride = cpp * args->width;
|
stride = cpp * args->width;
|
||||||
if (args->height > 0xffffffffU / stride)
|
if (args->height > 0xffffffffU / stride)
|
||||||
|
|
Loading…
Reference in a new issue