Hi Tobias, On 01/17/2017 11:24 PM, Tobias Jakobi wrote: > Joonyoung Shim wrote: >> The size of cmdlist is integer type, so it can be overflowed by cmd and >> cmd_buf that has too big size. This patch will fix overflow issue as >> checking maximum size of cmd and cmd_buf. > I don't understand/see the issue here. Could you point out for which > input of the set_cmdlist ioctl you see this particular overflow? > > In particular it is not clear to me which size field you're talking > about. struct g2d_cmdlist does not have any field named 'size'. > I mean size of cmdlist is size = cmdlist->last + req->cmd_nr * 2 + req->cmd_buf_nr * 2 + 2; in exynos_g2d_set_cmdlist_ioctl(). You can reproduce overflow of size easily if you use value like 4294967295 or 2147483647 at the req->cmd_buf_nr. Thanks. _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/dri-devel
