On Sun, Nov 21, 2010 at 08:40:01PM +0300, Vasiliy Kulikov wrote: > (count + p) is not checked for integer overflow. If p < fbmemlength > and count == (size_t)(1 - p) (very big unsigned integer) then > count + p == 1 < fbmemlength and copy_to_user(base_addr+p, buf, count) > overflows base_addr. > > Signed-off-by: Vasiliy Kulikov <segoon@xxxxxxxxxxxx> Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html