This patch adds check for various malloc/calloc function if they were able to allocate memory as requested or not. Return appropriate error if the allocation fails. Signed-off-by: Praveen Paneri <praveen.paneri@xxxxxxxxx> --- intel/intel_bufmgr_fake.c | 4 ++++ intel/intel_bufmgr_gem.c | 3 +++ intel/intel_decode.c | 2 ++ xf86drm.c | 54 +++++++++++++++++++++++++++++++++++++---------- xf86drmHash.c | 9 ++++++++ xf86drmSL.c | 2 ++ 6 files changed, 63 insertions(+), 11 deletions(-) diff --git a/intel/intel_bufmgr_fake.c b/intel/intel_bufmgr_fake.c index ed31c23..c00aa80 100644 --- a/intel/intel_bufmgr_fake.c +++ b/intel/intel_bufmgr_fake.c @@ -1277,6 +1277,8 @@ drm_intel_fake_emit_reloc(drm_intel_bo *bo, uint32_t offset, if (bo_fake->relocs == NULL) { bo_fake->relocs = malloc(sizeof(struct fake_buffer_reloc) * MAX_RELOCS); + if (!bo_fake->relocs) + return -ENOMEM; } r = &bo_fake->relocs[bo_fake->nr_relocs++]; @@ -1596,6 +1598,8 @@ drm_intel_bufmgr *drm_intel_bufmgr_fake_init(int fd, drm_intel_bufmgr_fake *bufmgr_fake; bufmgr_fake = calloc(1, sizeof(*bufmgr_fake)); + if (!bufmgr_fake) + return NULL; if (pthread_mutex_init(&bufmgr_fake->lock, NULL) != 0) { free(bufmgr_fake); diff --git a/intel/intel_bufmgr_gem.c b/intel/intel_bufmgr_gem.c index 8251efd..5bf33c4 100644 --- a/intel/intel_bufmgr_gem.c +++ b/intel/intel_bufmgr_gem.c @@ -2261,6 +2261,9 @@ aub_write_bo_data(drm_intel_bo *bo, uint32_t offset, uint32_t size) unsigned int i; data = malloc(bo->size); + if (!data) + return; + drm_intel_bo_get_subdata(bo, offset, size, data); /* Easy mode: write out bo with no relocations */ diff --git a/intel/intel_decode.c b/intel/intel_decode.c index 5a4fc4a..015ef20 100644 --- a/intel/intel_decode.c +++ b/intel/intel_decode.c @@ -3907,6 +3907,8 @@ drm_intel_decode(struct drm_intel_decode *ctx) * checking in statically sized packets. */ temp = malloc(size + 4096); + if (!temp) + return; memcpy(temp, ctx->base_data, size); memset((char *)temp + size, 0xd0, 4096); ctx->data = temp; diff --git a/xf86drm.c b/xf86drm.c index df56f9e..8b206e3 100644 --- a/xf86drm.c +++ b/xf86drm.c @@ -194,6 +194,8 @@ drmHashEntry *drmGetEntry(int fd) if (drmHashTable && drmHashLookup(drmHashTable, key, &value)) { entry = drmMalloc(sizeof(*entry)); + if (!entry) + return NULL; entry->fd = fd; entry->f = NULL; entry->tagTable = drmHashCreate(); @@ -735,6 +737,8 @@ drmVersionPtr drmGetVersion(int fd) { drmVersionPtr retval; drm_version_t *version = drmMalloc(sizeof(*version)); + if (!version) + return NULL; version->name_len = 0; version->name = NULL; @@ -767,7 +771,9 @@ drmVersionPtr drmGetVersion(int fd) if (version->desc_len) version->desc[version->desc_len] = '\0'; retval = drmMalloc(sizeof(*retval)); - drmCopyVersion(retval, version); + if (retval) + drmCopyVersion(retval, version); + drmFreeKernelVersion(version); return retval; } @@ -789,6 +795,8 @@ drmVersionPtr drmGetVersion(int fd) drmVersionPtr drmGetLibVersion(int fd) { drm_version_t *version = drmMalloc(sizeof(*version)); + if (!version) + return NULL; /* Version history: * NOTE THIS MUST NOT GO ABOVE VERSION 1.X due to drivers needing it @@ -1190,14 +1198,25 @@ drmBufInfoPtr drmGetBufInfo(int fd) } retval = drmMalloc(sizeof(*retval)); + if (!retval) { + drmFree(info.list); + return NULL; + } + retval->count = info.count; retval->list = drmMalloc(info.count * sizeof(*retval->list)); - for (i = 0; i < info.count; i++) { - retval->list[i].count = info.list[i].count; - retval->list[i].size = info.list[i].size; - retval->list[i].low_mark = info.list[i].low_mark; - retval->list[i].high_mark = info.list[i].high_mark; + if (retval->list) { + for (i = 0; i < info.count; i++) { + retval->list[i].count = info.list[i].count; + retval->list[i].size = info.list[i].size; + retval->list[i].low_mark = info.list[i].low_mark; + retval->list[i].high_mark = info.list[i].high_mark; + } + } else { + drmFree(retval); + retval = NULL; } + drmFree(info.list); return retval; } @@ -1243,13 +1262,23 @@ drmBufMapPtr drmMapBufs(int fd) } retval = drmMalloc(sizeof(*retval)); + if (!retval) { + drmFree(bufs.list); + return NULL; + } + retval->count = bufs.count; retval->list = drmMalloc(bufs.count * sizeof(*retval->list)); - for (i = 0; i < bufs.count; i++) { - retval->list[i].idx = bufs.list[i].idx; - retval->list[i].total = bufs.list[i].total; - retval->list[i].used = 0; - retval->list[i].address = bufs.list[i].address; + if (retval->list) { + for (i = 0; i < bufs.count; i++) { + retval->list[i].idx = bufs.list[i].idx; + retval->list[i].total = bufs.list[i].total; + retval->list[i].used = 0; + retval->list[i].address = bufs.list[i].address; + } + } else { + drmFree(retval); + retval = NULL; } drmFree(bufs.list); @@ -2612,6 +2641,9 @@ int drmCSCIoctl(int fd, struct CSCCoeff_Matrix *CSC_Matrix) } pCSCCoeff = (struct csc_coeff *)malloc(sizeof(struct csc_coeff)); + if (!pCSCCoeff) + return -ENOMEM; + Calc_CSC_Param(CSC_Matrix, pCSCCoeff, devid); pCSCCoeff->crtc_id = CSC_Matrix->crtc_id; diff --git a/xf86drmHash.c b/xf86drmHash.c index 82cbc2a..56e9af3 100644 --- a/xf86drmHash.c +++ b/xf86drmHash.c @@ -70,6 +70,7 @@ #include <stdio.h> #include <stdlib.h> +#include <errno.h> #define HASH_MAIN 0 @@ -79,6 +80,7 @@ #define HASH_MAGIC 0xdeadbeef #define HASH_DEBUG 0 +#define HASH_INVALID 0xffffffff /* A value that is out of bound */ #define HASH_SIZE 512 /* Good for about 100 entries */ /* If you change this value, you probably have to change the HashHash hashing @@ -137,6 +139,8 @@ static unsigned long HashHash(unsigned long key) if (!init) { HASH_RANDOM_DECL; HASH_RANDOM_INIT(37); + if (!state) + return HASH_INVALID; for (i = 0; i < 256; i++) scatter[i] = HASH_RANDOM; HASH_RANDOM_DESTROY; ++init; @@ -203,6 +207,9 @@ static HashBucketPtr HashFind(HashTablePtr table, if (h) *h = hash; + if (hash == HASH_INVALID) + return NULL; + for (bucket = table->buckets[hash]; bucket; bucket = bucket->next) { if (bucket->key == key) { if (prev) { @@ -244,6 +251,7 @@ int drmHashInsert(void *t, unsigned long key, void *value) if (table->magic != HASH_MAGIC) return -1; /* Bad magic */ if (HashFind(table, key, &hash)) return 1; /* Already in table */ + if (hash == HASH_INVALID) return -1; bucket = HASH_ALLOC(sizeof(*bucket)); if (!bucket) return -1; /* Error */ @@ -267,6 +275,7 @@ int drmHashDelete(void *t, unsigned long key) bucket = HashFind(table, key, &hash); + if (hash == HASH_INVALID) return -1; if (!bucket) return 1; /* Not found */ table->buckets[hash] = bucket->next; diff --git a/xf86drmSL.c b/xf86drmSL.c index 45f3906..00ae9f9 100644 --- a/xf86drmSL.c +++ b/xf86drmSL.c @@ -40,6 +40,7 @@ #include <stdio.h> #include <stdlib.h> +#include <errno.h> #define SL_MAIN 0 @@ -124,6 +125,7 @@ static int SLRandomLevel(void) SL_RANDOM_DECL; SL_RANDOM_INIT(SL_RANDOM_SEED); + if (!state) return -ENOMEM; while ((SL_RANDOM & 0x01) && level < SL_MAX_LEVEL) ++level; return level; -- 1.9.1 _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/intel-gfx