summaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorXi Wang <xi.wang@gmail.com>2012-04-06 17:38:24 -0400
committerDave Airlie <airlied@redhat.com>2012-04-10 10:22:51 +0100
commit6587eb82617f7913c13e750e73e13fa9c829863c (patch)
tree47795de3efba773e42336c954b8f15675c156536 /drivers
parent4de833c337509916b7931982734d858191cf0700 (diff)
drm/savage: fix integer overflows in savage_bci_cmdbuf()
Since cmdbuf->size and cmdbuf->nbox are from userspace, a large value would overflow the allocation size, leading to out-of-bounds access. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/gpu/drm/savage/savage_state.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/gpu/drm/savage/savage_state.c b/drivers/gpu/drm/savage/savage_state.c
index 031aaaf79ac2..b6d8608375cd 100644
--- a/drivers/gpu/drm/savage/savage_state.c
+++ b/drivers/gpu/drm/savage/savage_state.c
@@ -988,7 +988,7 @@ int savage_bci_cmdbuf(struct drm_device *dev, void *data, struct drm_file *file_
* for locking on FreeBSD.
*/
if (cmdbuf->size) {
- kcmd_addr = kmalloc(cmdbuf->size * 8, GFP_KERNEL);
+ kcmd_addr = kmalloc_array(cmdbuf->size, 8, GFP_KERNEL);
if (kcmd_addr == NULL)
return -ENOMEM;
@@ -1015,8 +1015,8 @@ int savage_bci_cmdbuf(struct drm_device *dev, void *data, struct drm_file *file_
cmdbuf->vb_addr = kvb_addr;
}
if (cmdbuf->nbox) {
- kbox_addr = kmalloc(cmdbuf->nbox * sizeof(struct drm_clip_rect),
- GFP_KERNEL);
+ kbox_addr = kmalloc_array(cmdbuf->nbox, sizeof(struct drm_clip_rect),
+ GFP_KERNEL);
if (kbox_addr == NULL) {
ret = -ENOMEM;
goto done;