On Tue, Dec 23, 2014 at 4:56 AM, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
> The test:
>
> if (size > RADEON_MAX_TEXTURE_SIZE) {
>
> "size" is an integer and it's controled by the user so it can be
> negative and the test can underflow. Later we use "size" in:
>
> dwords = size / 4;
> ...
> RADEON_COPY_MT(buffer, data, (int)(dwords * sizeof(u32)));
>
> It causes memory corruption to copy a negative size buffer.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Applied to my fixes tree. thanks!
Alex
> ---
> Static checkers complain about the integer overflows here, and there are
> many real overflows but they appear harmless.
>
> diff --git a/drivers/gpu/drm/radeon/radeon_state.c b/drivers/gpu/drm/radeon/radeon_state.c
> index 535403e..15aee72 100644
> --- a/drivers/gpu/drm/radeon/radeon_state.c
> +++ b/drivers/gpu/drm/radeon/radeon_state.c
> @@ -1703,7 +1703,7 @@ static int radeon_cp_dispatch_texture(struct drm_device * dev,
> u32 format;
> u32 *buffer;
> const u8 __user *data;
> - int size, dwords, tex_width, blit_width, spitch;
> + unsigned int size, dwords, tex_width, blit_width, spitch;
> u32 height;
> int i;
> u32 texpitch, microtile;
> _______________________________________________
> dri-devel mailing list
> dri-devel@xxxxxxxxxxxxxxxxxxxxx
> http://lists.freedesktop.org/mailman/listinfo/dri-devel
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/dri-devel
