From: Thomas B. <th...@su...> - 2004-02-13 11:34:20
|
Hi, one of our developers mentioned that depth->n can be negative. I didn't checked the whole code but even if depth->n is unsigned, count is signed and can be negative by using a depth->n > INT_MAX. Is this a real problem or do we just hunt ghosts here? On Wed, 14 Jan 2004, Alan Cox wrote: > I think this is about the minimal fix needed. I'm not entirely happy > with the limits picked, especially for spans, but maybe someone with > an R128 can verify it is ok, or change the code to loop each chunk > of pixels/span data. > > I've not yet looked at the new SiS allocator problems in detail. The > 6326 really wants a different allocator anyway. > > Alan > > > [ Part 2: "Attached Text" ] > > [ The following text is in the "UTF-8" character set. ] > [ Your display is set for the "iso-8859-1" character set. ] > [ Some characters may be displayed incorrectly. ] > > --- drivers/char/drm/r128_state.c~ 2004-01-14 13:42:38.000000000 +0000 > +++ drivers/char/drm/r128_state.c 2004-01-14 13:46:27.000000000 +0000 > @@ -23,8 +23,20 @@ > * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER > * DEALINGS IN THE SOFTWARE. > * > + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR > + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, > + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL > + * RED HAT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR > + * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, > + * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER > + * DEALINGS IN THE SOFTWARE. > + * > + * THIS SOFTWARE IS NOT INTENDED FOR USE IN SAFETY CRITICAL SYSTEMS > + * > * Authors: > * Gareth Hughes <ga...@va...> > + * > + * Memory allocation size checks added 14/01/2003, Alan Cox <al...@re...> > */ > > #include "r128.h" > @@ -901,6 +913,9 @@ > DRM_DEBUG( "%s\n", __FUNCTION__ ); > > count = depth->n; > + > + if( count > 4096 ) > + return -EMSGSIZE; > if ( copy_from_user( &x, depth->x, sizeof(x) ) ) { > return -EFAULT; > } > @@ -994,6 +1009,9 @@ > DRM_DEBUG( "%s\n", __FUNCTION__ ); > > count = depth->n; > + > + if( count > 4096 ) > + return -EMSGSIZE; > > x = kmalloc( count * sizeof(*x), GFP_KERNEL ); > if ( x == NULL ) { > @@ -1109,6 +1127,9 @@ > DRM_DEBUG( "%s\n", __FUNCTION__ ); > > count = depth->n; > + > + if ( count > 4096 ) > + return -EMSGSIZE; > if ( copy_from_user( &x, depth->x, sizeof(x) ) ) { > return -EFAULT; > } > Bye, Thomas -- Thomas Biege <th...@su...>, SUSE LINUX AG, Security Support & Auditing -- # If you have the "driftnet" program installed, webcollage can display a # collage of images sniffed off your local ethernet, instead of pulled out # of search engines: in that way, your screensaver can display the images # that your co-workers are downloading! -- xscreensaver source-code |