Hi,
one of our developers mentioned that depth->n can be negative.
I didn't checked the whole code but even if depth->n is unsigned,
count is signed and can be negative by using a depth->n > INT_MAX.
Is this a real problem or do we just hunt ghosts here?
On Wed, 14 Jan 2004, Alan Cox wrote:
> I think this is about the minimal fix needed. I'm not entirely happy
> with the limits picked, especially for spans, but maybe someone with
> an R128 can verify it is ok, or change the code to loop each chunk
> of pixels/span data.
>
> I've not yet looked at the new SiS allocator problems in detail. The
> 6326 really wants a different allocator anyway.
>
> Alan
>
>
> [ Part 2: "Attached Text" ]
>
> [ The following text is in the "UTF-8" character set. ]
> [ Your display is set for the "iso-8859-1" character set. ]
> [ Some characters may be displayed incorrectly. ]
>
> --- drivers/char/drm/r128_state.c~ 2004-01-14 13:42:38.000000000 +0000
> +++ drivers/char/drm/r128_state.c 2004-01-14 13:46:27.000000000 +0000
> @@ -23,8 +23,20 @@
> * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
> * DEALINGS IN THE SOFTWARE.
> *
> + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
> + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
> + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
> + * RED HAT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
> + * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
> + * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
> + * DEALINGS IN THE SOFTWARE.
> + *
> + * THIS SOFTWARE IS NOT INTENDED FOR USE IN SAFETY CRITICAL SYSTEMS
> + *
> * Authors:
> * Gareth Hughes <[EMAIL PROTECTED]>
> + *
> + * Memory allocation size checks added 14/01/2003, Alan Cox <[EMAIL PROTECTED]>
> */
>
> #include "r128.h"
> @@ -901,6 +913,9 @@
> DRM_DEBUG( "%s\n", __FUNCTION__ );
>
> count = depth->n;
> +
> + if( count > 4096 )
> + return -EMSGSIZE;
> if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
> return -EFAULT;
> }
> @@ -994,6 +1009,9 @@
> DRM_DEBUG( "%s\n", __FUNCTION__ );
>
> count = depth->n;
> +
> + if( count > 4096 )
> + return -EMSGSIZE;
>
> x = kmalloc( count * sizeof(*x), GFP_KERNEL );
> if ( x == NULL ) {
> @@ -1109,6 +1127,9 @@
> DRM_DEBUG( "%s\n", __FUNCTION__ );
>
> count = depth->n;
> +
> + if ( count > 4096 )
> + return -EMSGSIZE;
> if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
> return -EFAULT;
> }
>
Bye,
Thomas
--
Thomas Biege <[EMAIL PROTECTED]>, SUSE LINUX AG, Security Support & Auditing
--
# If you have the "driftnet" program installed, webcollage can display a
# collage of images sniffed off your local ethernet, instead of pulled out
# of search engines: in that way, your screensaver can display the images
# that your co-workers are downloading!
-- xscreensaver source-code
-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
--
_______________________________________________
Dri-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/dri-devel
