git.openpandora.org / pandora-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 4de833c) | patch
drm/savage: fix integer overflows in savage_bci_cmdbuf()
authorXi Wang <xi.wang@gmail.com>
Fri, 6 Apr 2012 21:38:24 +0000 (17:38 -0400)
committerDave Airlie <airlied@redhat.com>
Tue, 10 Apr 2012 09:22:51 +0000 (10:22 +0100)
commit6587eb82617f7913c13e750e73e13fa9c829863c
tree47795de3efba773e42336c954b8f15675c156536tree | snapshot
parent4de833c337509916b7931982734d858191cf0700commit | diff
drm/savage: fix integer overflows in savage_bci_cmdbuf()

Since cmdbuf->size and cmdbuf->nbox are from userspace, a large value
would overflow the allocation size, leading to out-of-bounds access.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
drivers/gpu/drm/savage/savage_state.c diff | blob | history
Pandora Kernel Repository