The size calculation can overflow. Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c index 552dc06..5da9a60 100644 --- a/drivers/gpu/drm/qxl/qxl_ioctl.c +++ b/drivers/gpu/drm/qxl/qxl_ioctl.c @@ -401,6 +401,8 @@ static int qxl_alloc_surf_ioctl(struct drm_device *dev, void *data, /* work out size allocate bo with handle */ actual_stride = param->stride < 0 ? -param->stride : param->stride; + if (actual_stride > (INT_MAX - actual_stride) / param->height) + return -EINVAL; size = actual_stride * param->height + actual_stride; surf.format = param->format; _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/dri-devel
