mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-04 16:15:11 +00:00
Code Issues Releases Wiki Activity

drm/savage: fix integer overflows in savage_bci_cmdbuf()

Browse source 
Since cmdbuf->size and cmdbuf->nbox are from userspace, a large value
would overflow the allocation size, leading to out-of-bounds access.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
This commit is contained in:
Xi Wang 2012-04-06 17:38:24 -04:00 committed by Dave Airlie
parent 4de833c337
commit 6587eb8261
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
drivers/gpu/drm/savage/savage_state.c
View file

@ -988,7 +988,7 @@ int savage_bci_cmdbuf(struct drm_device *dev, void *data, struct drm_file *file_
* for locking on FreeBSD.
*/
if (cmdbuf->size) {
kcmd_addr = kmalloc(cmdbuf->size * 8, GFP_KERNEL);
kcmd_addr = kmalloc_array(cmdbuf->size, 8, GFP_KERNEL);
if (kcmd_addr == NULL)
return -ENOMEM;
@ -1015,8 +1015,8 @@ int savage_bci_cmdbuf(struct drm_device *dev, void *data, struct drm_file *file_
cmdbuf->vb_addr = kvb_addr;
}
if (cmdbuf->nbox) {
kbox_addr = kmalloc(cmdbuf->nbox * sizeof(struct drm_clip_rect),
GFP_KERNEL);
kbox_addr = kmalloc_array(cmdbuf->nbox, sizeof(struct drm_clip_rect),
GFP_KERNEL);
if (kbox_addr == NULL) {
ret = -ENOMEM;
goto done;