summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2018-10-08 12:57:36 +0200
committerBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>2018-10-08 12:57:36 +0200
commite5017716adb8aa5c01c52386c1b7470101ffe9c5 (patch)
tree9fe13b9419608329515b18beee4a922fab4d68fa
parentd8bad911e5e55e228d59c0606ff7e6b8131ca7bf (diff)
fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper()
The "index + count" addition can overflow. Both come directly from the user. This bug leads to an information leak. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: Peter Malone <peter.malone@gmail.com> Cc: Philippe Ombredanne <pombredanne@nexb.com> Cc: Mathieu Malaterre <malat@debian.org> Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
-rw-r--r--drivers/video/fbdev/sbuslib.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/video/fbdev/sbuslib.c b/drivers/video/fbdev/sbuslib.c
index 90c51330969c..01a7110e61a7 100644
--- a/drivers/video/fbdev/sbuslib.c
+++ b/drivers/video/fbdev/sbuslib.c
@@ -171,7 +171,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg,
get_user(ublue, &c->blue))
return -EFAULT;
- if (index + count > cmap->len)
+ if (index > cmap->len || count > cmap->len - index)
return -EINVAL;
for (i = 0; i < count; i++) {