On Sat, Nov 13, 2010 at 01:07:18PM +0300, Dan Carpenter wrote: > @@ -256,8 +264,12 @@ int fb_set_user_cmap(struct fb_cmap_user *cmap, struct fb_info *info) > int rc, size = cmap->len * sizeof(u16); > struct fb_cmap umap; > > + if (cmap->len * 2 > INT_MAX) > + return -EINVAL; > + > memset(&umap, 0, sizeof(struct fb_cmap)); > - rc = fb_alloc_cmap(&umap, cmap->len, cmap->transp != NULL); > + rc = fb_alloc_cmap_gfp(&umap, cmap->len, cmap->transp != NULL, > + GFP_KERNEL); > if (rc) > return rc; > if (copy_from_user(umap.red, cmap->red, size) || This looks reasonable, but it probably makes more sense to use -E2BIG for the overflow case (as other cases are doing already), and also just to check size directly rather than open-coding the * 2. -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html