On Tue, Dec 23, 2014 at 4:56 AM, Dan Carpenter dan.carpenter@oracle.com wrote:
The test:
if (size > RADEON_MAX_TEXTURE_SIZE) {"size" is an integer and it's controled by the user so it can be negative and the test can underflow. Later we use "size" in:
dwords = size / 4; ... RADEON_COPY_MT(buffer, data, (int)(dwords * sizeof(u32)));It causes memory corruption to copy a negative size buffer.
Signed-off-by: Dan Carpenter dan.carpenter@oracle.com
Applied to my fixes tree. thanks!
Alex
Static checkers complain about the integer overflows here, and there are many real overflows but they appear harmless.
diff --git a/drivers/gpu/drm/radeon/radeon_state.c b/drivers/gpu/drm/radeon/radeon_state.c index 535403e..15aee72 100644 --- a/drivers/gpu/drm/radeon/radeon_state.c +++ b/drivers/gpu/drm/radeon/radeon_state.c @@ -1703,7 +1703,7 @@ static int radeon_cp_dispatch_texture(struct drm_device * dev, u32 format; u32 *buffer; const u8 __user *data;
int size, dwords, tex_width, blit_width, spitch;
unsigned int size, dwords, tex_width, blit_width, spitch; u32 height; int i; u32 texpitch, microtile;
dri-devel mailing list dri-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/dri-devel