From: Xi Wang <xi.wang@gmail.com>
Date: Mon, 28 Nov 2011 11:25:43 +0000 (+0100)
Subject: vmwgfx: integer overflow in vmw_kms_update_layout_ioctl()
X-Git-Tag: v3.2-rc5~54^2
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bab9efc206ba89766c53a9042eb771e87e68c42b;p=pandora-kernel.git

vmwgfx: integer overflow in vmw_kms_update_layout_ioctl()

There are two issues in vmw_kms_update_layout_ioctl().  First, the
for loop forgets to index rects and only checks the first element.
Second, there is a potential integer overflow if userspace passes
in a large arg->num_outputs.  The call to kzalloc() would allocate
a small buffer, leading to out-of-bounds read.

Reported-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---

Reading git-diff-tree failed