From dd5a74f2f982193620cfa1ef609df1ee805781d4 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 23 Dec 2014 12:56:49 +0300
Subject: [PATCH] drm/radeon: integer underflow in radeon_cp_dispatch_texture()
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

The test:

	if (size > RADEON_MAX_TEXTURE_SIZE) {

"size" is an integer and it's controled by the user so it can be
negative and the test can underflow.  Later we use "size" in:

	dwords = size / 4;
	...
	RADEON_COPY_MT(buffer, data, (int)(dwords * sizeof(u32)));

It causes memory corruption to copy a negative size buffer.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
---
Reading git-format-patch failed