From: Dan Carpenter <dan.carpen...@oracle.com> [ Upstream commit e5017716adb8aa5c01c52386c1b7470101ffe9c5 ]
The "index + count" addition can overflow. Both come directly from the user. This bug leads to an information leak. Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com> Cc: Peter Malone <peter.mal...@gmail.com> Cc: Philippe Ombredanne <pombreda...@nexb.com> Cc: Mathieu Malaterre <ma...@debian.org> Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnier...@samsung.com> Signed-off-by: Sasha Levin <sas...@kernel.org> --- drivers/video/fbdev/sbuslib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/fbdev/sbuslib.c b/drivers/video/fbdev/sbuslib.c index b425718925c01..52e161dbd2047 100644 --- a/drivers/video/fbdev/sbuslib.c +++ b/drivers/video/fbdev/sbuslib.c @@ -170,7 +170,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg, get_user(ublue, &c->blue)) return -EFAULT; - if (index + count > cmap->len) + if (index > cmap->len || count > cmap->len - index) return -EINVAL; for (i = 0; i < count; i++) { -- 2.20.1 _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel