diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2015-10-29 16:37:54 +0300 |
---|---|---|
committer | Dave Airlie <airlied@gmail.com> | 2015-10-31 10:00:05 +1000 |
commit | 9ac0934bbe52290e4e4c2a58ec41cab9b6ca8c96 (patch) | |
tree | 5d1efc1e282f49e061e1a6677f9bf77c93e20a5d | |
parent | 04ccb89073e7cfc31d9b9208d32b2cdf84a4d97d (diff) | |
download | lwn-9ac0934bbe52290e4e4c2a58ec41cab9b6ca8c96.tar.gz lwn-9ac0934bbe52290e4e4c2a58ec41cab9b6ca8c96.zip |
drm: crtc: integer overflow in drm_property_create_blob()
The size here comes from the user via the ioctl, it is a number between
1-u32max so the addition here could overflow on 32 bit systems.
Fixes: f453ba046074 ('DRM: add mode setting support')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Cc: stable@kernel.org # v4.2
Signed-off-by: Dave Airlie <airlied@gmail.com>
-rw-r--r-- | drivers/gpu/drm/drm_crtc.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index 33d877c65ced..c205f13f9388 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -4105,7 +4105,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, struct drm_property_blob *blob; int ret; - if (!length) + if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) return ERR_PTR(-EINVAL); blob = kzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); |