Here are 2 patches against the 'master' branch of Linus' 'linux.git' repo...
In {cfb|sys}_copyarea(), when initializing *unsigned long const* bits_per_line
__u32 typed fb_fix_screeninfo::line_length gets multiplied by 8u which might
overflow __u32; this whole *struct* fb_fix_screeninfo seems to come from
userland (as it's declared in the UAPI header)... Also, that bits_per_line
constant is used to advance *unsigned* src_idx and dst_idx lccal variables
which might be overflowed as well...
These overflow possibilities were there from the very begining of the source
files in question, so I decided to just CC stable@xxxxxxxxxxxxxxx, without
the Fixes tags...
Sergey Shtylyov (2):
video: fbdev: core: cfbcopyarea: fix sloppy typing
video: fbdev: core: syscopyarea: fix sloppy typing
drivers/video/fbdev/core/cfbcopyarea.c | 5 +++--
drivers/video/fbdev/core/syscopyarea.c | 5 +++--
2 files changed, 6 insertions(+), 4 deletions(-)
--
2.26.3
