The size calculation can overflow. I don't know if this leads to memory corruption, but it causes a static checker warning. Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> --- v2: I don't know think the size is capped anywhere. In my first version of this patch, I introduced a divide by zero bug. diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c index b2db482..49b3158 100644 --- a/drivers/gpu/drm/qxl/qxl_ioctl.c +++ b/drivers/gpu/drm/qxl/qxl_ioctl.c @@ -396,12 +396,14 @@ static int qxl_alloc_surf_ioctl(struct drm_device *dev, void *data, struct qxl_bo *qobj; int handle; int ret; - int size, actual_stride; + u64 size, actual_stride; struct qxl_surface surf; /* work out size allocate bo with handle */ actual_stride = param->stride < 0 ? -param->stride : param->stride; size = actual_stride * param->height + actual_stride; + if (size > INT_MAX) + return -EINVAL; surf.format = param->format; surf.width = param->width; -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
