diff mbox

[libdrm,1/1] amdgpu: Do not write beyond allocated memory when parsing ids

Message ID 20170901190518.14934-1-jan.vesely@rutgers.edu (mailing list archive)
State New, archived
Headers show

Commit Message

Jan Vesely Sept. 1, 2017, 7:05 p.m. UTC 
Fixes crash when/usr/share/libdrm/amdgpu.ids contains ASIC_ID_TABLE_NUM_ENTRIES + 1 entries.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=102432
Signed-off-by: Jan Vesely <jan.vesely@rutgers.edu>
---
Compile tested only.

 amdgpu/amdgpu_asic_id.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

Comments

Michel Dänzer Sept. 5, 2017, 3:32 a.m. UTC | #1 
On 02/09/17 04:05 AM, Jan Vesely wrote:
> Fixes crash when/usr/share/libdrm/amdgpu.ids contains ASIC_ID_TABLE_NUM_ENTRIES + 1 entries.
> 
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=102432
> Signed-off-by: Jan Vesely <jan.vesely@rutgers.edu>

Thanks for the good catch.


> diff --git a/amdgpu/amdgpu_asic_id.c b/amdgpu/amdgpu_asic_id.c
> index 3a88896b..e8218974 100644
> --- a/amdgpu/amdgpu_asic_id.c
> +++ b/amdgpu/amdgpu_asic_id.c
> @@ -186,19 +186,20 @@ int amdgpu_parse_asic_ids(struct amdgpu_asic_id **p_asic_id_table)
>  		table_size++;
>  	}
>  
> -	/* end of table */
> -	id = asic_id_table + table_size;
> -	memset(id, 0, sizeof(struct amdgpu_asic_id));
> -
>  	if (table_size != table_max_size) {
>  		id = realloc(asic_id_table, (table_size + 1) *
>  			     sizeof(struct amdgpu_asic_id));
> -		if (!id)
> +		if (!id) {
>  			r = -ENOMEM;
> -		else
> -			asic_id_table = id;
> +			goto free;
> +		}
> +		asic_id_table = id;
>          }
>  
> +	/* end of table */
> +	id = asic_id_table + table_size;
> +	memset(id, 0, sizeof(struct amdgpu_asic_id));
> +
>  free:
>  	free(line);
>  
> 

Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
diff mbox

Patch

diff --git a/amdgpu/amdgpu_asic_id.c b/amdgpu/amdgpu_asic_id.c
index 3a88896b..e8218974 100644
--- a/amdgpu/amdgpu_asic_id.c
+++ b/amdgpu/amdgpu_asic_id.c
@@ -186,19 +186,20 @@  int amdgpu_parse_asic_ids(struct amdgpu_asic_id **p_asic_id_table)
 		table_size++;
 	}
 
-	/* end of table */
-	id = asic_id_table + table_size;
-	memset(id, 0, sizeof(struct amdgpu_asic_id));
-
 	if (table_size != table_max_size) {
 		id = realloc(asic_id_table, (table_size + 1) *
 			     sizeof(struct amdgpu_asic_id));
-		if (!id)
+		if (!id) {
 			r = -ENOMEM;
-		else
-			asic_id_table = id;
+			goto free;
+		}
+		asic_id_table = id;
         }
 
+	/* end of table */
+	id = asic_id_table + table_size;
+	memset(id, 0, sizeof(struct amdgpu_asic_id));
+
 free:
 	free(line);