drm: Check crtc x and y coordinates

commit 1d97e9154821d52a5ebc226176d4839c7b86b116 upstream. The crtc x/y panning coordinates are stored as signed integers internally. The user provides them as unsigned, so we should check that the user provided values actually fit in the internal datatypes. Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com> Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
author: Ville Syrjälä <ville.syrjala@linux.intel.com> 2012-03-13 12:35:41 +0200
committer: Ben Hutchings <ben@decadent.org.uk> 2015-08-12 16:33:20 +0200
commit: fe3215cc59a7996aaa84932affb3a9b62375ba6c (patch)
tree: 73f73ad2c67c05f5986fc5185c3e44db5ef2a7d2
parent: 436bd506eaab4da2edf986306135ce3964eecf36 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index 09851ce2500e..0e716fd2cb89 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -1505,6 +1505,10 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
 	if (!drm_core_check_feature(dev, DRIVER_MODESET))
 		return -EINVAL;
 
+	/* For some reason crtc x/y offsets are signed internally. */
+	if (crtc_req->x > INT_MAX || crtc_req->y > INT_MAX)
+		return -ERANGE;
+
 	mutex_lock(&dev->mode_config.mutex);
 	obj = drm_mode_object_find(dev, crtc_req->crtc_id,
 				   DRM_MODE_OBJECT_CRTC);
author	Ville Syrjälä <ville.syrjala@linux.intel.com>	2012-03-13 12:35:41 +0200
committer	Ben Hutchings <ben@decadent.org.uk>	2015-08-12 16:33:20 +0200
commit	fe3215cc59a7996aaa84932affb3a9b62375ba6c (patch)
tree	73f73ad2c67c05f5986fc5185c3e44db5ef2a7d2
parent	436bd506eaab4da2edf986306135ce3964eecf36 (diff)