Hi, one of our developers mentioned that depth->n can be negative. I didn't checked the whole code but even if depth->n is unsigned, count is signed and can be negative by using a depth->n > INT_MAX.
Is this a real problem or do we just hunt ghosts here? On Wed, 14 Jan 2004, Alan Cox wrote: > I think this is about the minimal fix needed. I'm not entirely happy > with the limits picked, especially for spans, but maybe someone with > an R128 can verify it is ok, or change the code to loop each chunk > of pixels/span data. > > I've not yet looked at the new SiS allocator problems in detail. The > 6326 really wants a different allocator anyway. > > Alan > > > [ Part 2: "Attached Text" ] > > [ The following text is in the "UTF-8" character set. ] > [ Your display is set for the "iso-8859-1" character set. ] > [ Some characters may be displayed incorrectly. ] > > --- drivers/char/drm/r128_state.c~ 2004-01-14 13:42:38.000000000 +0000 > +++ drivers/char/drm/r128_state.c 2004-01-14 13:46:27.000000000 +0000 > @@ -23,8 +23,20 @@ > * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER > * DEALINGS IN THE SOFTWARE. > * > + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR > + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, > + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL > + * RED HAT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR > + * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, > + * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER > + * DEALINGS IN THE SOFTWARE. > + * > + * THIS SOFTWARE IS NOT INTENDED FOR USE IN SAFETY CRITICAL SYSTEMS > + * > * Authors: > * Gareth Hughes <[EMAIL PROTECTED]> > + * > + * Memory allocation size checks added 14/01/2003, Alan Cox <[EMAIL PROTECTED]> > */ > > #include "r128.h" > @@ -901,6 +913,9 @@ > DRM_DEBUG( "%s\n", __FUNCTION__ ); > > count = depth->n; > + > + if( count > 4096 ) > + return -EMSGSIZE; > if ( copy_from_user( &x, depth->x, sizeof(x) ) ) { > return -EFAULT; > } > @@ -994,6 +1009,9 @@ > DRM_DEBUG( "%s\n", __FUNCTION__ ); > > count = depth->n; > + > + if( count > 4096 ) > + return -EMSGSIZE; > > x = kmalloc( count * sizeof(*x), GFP_KERNEL ); > if ( x == NULL ) { > @@ -1109,6 +1127,9 @@ > DRM_DEBUG( "%s\n", __FUNCTION__ ); > > count = depth->n; > + > + if ( count > 4096 ) > + return -EMSGSIZE; > if ( copy_from_user( &x, depth->x, sizeof(x) ) ) { > return -EFAULT; > } > Bye, Thomas -- Thomas Biege <[EMAIL PROTECTED]>, SUSE LINUX AG, Security Support & Auditing -- # If you have the "driftnet" program installed, webcollage can display a # collage of images sniffed off your local ethernet, instead of pulled out # of search engines: in that way, your screensaver can display the images # that your co-workers are downloading! -- xscreensaver source-code ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click -- _______________________________________________ Dri-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/dri-devel