diff mbox

[RFC,017/111] staging: etnaviv: validation: improve command buffer size checks

Message ID 1427988653-754-18-git-send-email-l.stach@pengutronix.de (mailing list archive)
State New, archived
Headers show

Commit Message

Lucas Stach April 2, 2015, 3:29 p.m. UTC 
From: Russell King <rmk+kernel@arm.linux.org.uk>

Additions can overflow, when they do, they can lead to incorrect
results.  When we verify that the buffer offset and size fit within
the buffer object, we must do this safely.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
---
 drivers/staging/etnaviv/etnaviv_gem_submit.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
diff mbox

Patch

diff --git a/drivers/staging/etnaviv/etnaviv_gem_submit.c b/drivers/staging/etnaviv/etnaviv_gem_submit.c
index f8b733a0e313..39ae61ab43fd 100644
--- a/drivers/staging/etnaviv/etnaviv_gem_submit.c
+++ b/drivers/staging/etnaviv/etnaviv_gem_submit.c
@@ -380,7 +380,8 @@  int etnaviv_ioctl_gem_submit(struct drm_device *dev, void *data,
 		 */
 		max_size = etnaviv_obj->base.size - 8;
 
-		if ((submit_cmd.size + submit_cmd.submit_offset) > max_size) {
+		if (submit_cmd.size > max_size ||
+		    submit_cmd.submit_offset > max_size - submit_cmd.size) {
 			DRM_ERROR("invalid cmdstream size: %u\n", submit_cmd.size);
 			ret = -EINVAL;
 			goto out;