If vertex->idx == dma->buf_count then we end up reading one element beyond the end of the dma->buflist[] array.
Signed-off-by: Dan Carpenter dan.carpenter@oracle.com
diff --git a/drivers/gpu/drm/i810/i810_dma.c b/drivers/gpu/drm/i810/i810_dma.c index 576a417690d4..3b378936f575 100644 --- a/drivers/gpu/drm/i810/i810_dma.c +++ b/drivers/gpu/drm/i810/i810_dma.c @@ -934,7 +934,7 @@ static int i810_dma_vertex(struct drm_device *dev, void *data, DRM_DEBUG("idx %d used %d discard %d\n", vertex->idx, vertex->used, vertex->discard);
- if (vertex->idx < 0 || vertex->idx > dma->buf_count) + if (vertex->idx < 0 || vertex->idx >= dma->buf_count) return -EINVAL;
i810_dma_dispatch_vertex(dev,
On Tue, Jul 03, 2018 at 03:30:16PM +0300, Dan Carpenter wrote:
If vertex->idx == dma->buf_count then we end up reading one element beyond the end of the dma->buflist[] array.
Signed-off-by: Dan Carpenter dan.carpenter@oracle.com
This driver is a full-on root hole no matter what, but applied to appease the checkers :-)
Thanks, Daniel
diff --git a/drivers/gpu/drm/i810/i810_dma.c b/drivers/gpu/drm/i810/i810_dma.c index 576a417690d4..3b378936f575 100644 --- a/drivers/gpu/drm/i810/i810_dma.c +++ b/drivers/gpu/drm/i810/i810_dma.c @@ -934,7 +934,7 @@ static int i810_dma_vertex(struct drm_device *dev, void *data, DRM_DEBUG("idx %d used %d discard %d\n", vertex->idx, vertex->used, vertex->discard);
- if (vertex->idx < 0 || vertex->idx > dma->buf_count)
if (vertex->idx < 0 || vertex->idx >= dma->buf_count) return -EINVAL;
i810_dma_dispatch_vertex(dev,
dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
dri-devel@lists.freedesktop.org
-
Dan Carpenter -
Daniel Vetter