Browse Source

drm/radeon: integer underflow in radeon_cp_dispatch_texture()

The test:

	if (size > RADEON_MAX_TEXTURE_SIZE) {

"size" is an integer and it's controled by the user so it can be
negative and the test can underflow.  Later we use "size" in:

	dwords = size / 4;
	...
	RADEON_COPY_MT(buffer, data, (int)(dwords * sizeof(u32)));

It causes memory corruption to copy a negative size buffer.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Dan Carpenter 10 years ago
parent
commit
dd5a74f2f9
1 changed files with 1 additions and 1 deletions
  1. 1 1
      drivers/gpu/drm/radeon/radeon_state.c

+ 1 - 1
drivers/gpu/drm/radeon/radeon_state.c

@@ -1703,7 +1703,7 @@ static int radeon_cp_dispatch_texture(struct drm_device * dev,
 	u32 format;
 	u32 *buffer;
 	const u8 __user *data;
-	int size, dwords, tex_width, blit_width, spitch;
+	unsigned int size, dwords, tex_width, blit_width, spitch;
 	u32 height;
 	int i;
 	u32 texpitch, microtile;