From patchwork Fri Mar 29 02:40:09 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Simon Horman <horms+renesas@verge.net.au>
X-Patchwork-Id: 2361081
Return-Path: <ltsi-dev-bounces@lists.linuxfoundation.org>
X-Original-To: patchwork-ltsi-dev@patchwork.kernel.org
Delivered-To: patchwork-process-083081@patchwork2.kernel.org
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	by patchwork2.kernel.org (Postfix) with ESMTP id 4E1F6DF2A1
	for <patchwork-ltsi-dev@patchwork.kernel.org>;
	Fri, 29 Mar 2013 02:48:55 +0000 (UTC)
Received: from mail.linux-foundation.org (localhost [IPv6:::1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id 554A8B8E;
	Fri, 29 Mar 2013 02:46:01 +0000 (UTC)
X-Original-To: ltsi-dev@lists.linuxfoundation.org
Delivered-To: ltsi-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTP id 6A14BBA4
	for <ltsi-dev@lists.linuxfoundation.org>;
	Fri, 29 Mar 2013 02:45:54 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from kirsty.vergenet.net (kirsty.vergenet.net [202.4.237.240])
	by smtp1.linuxfoundation.org (Postfix) with ESMTP id 8406A20179
	for <ltsi-dev@lists.linuxfoundation.org>;
	Fri, 29 Mar 2013 02:45:45 +0000 (UTC)
Received: from ayumi.akashicho.tokyo.vergenet.net
	(p8120-ipbfp1001kobeminato.hyogo.ocn.ne.jp [118.10.137.120])
	by kirsty.vergenet.net (Postfix) with ESMTP id 5E0432C69D9;
	Fri, 29 Mar 2013 13:45:35 +1100 (EST)
Received: by ayumi.akashicho.tokyo.vergenet.net (Postfix, from userid 7100)
	id C058BEDEA3D; Fri, 29 Mar 2013 11:45:33 +0900 (JST)
From: Simon Horman <horms+renesas@verge.net.au>
To: ltsi-dev@lists.linuxfoundation.org
Date: Fri, 29 Mar 2013 11:40:09 +0900
Message-Id: <1364525119-31791-81-git-send-email-horms+renesas@verge.net.au>
X-Mailer: git-send-email 1.7.10.4
In-Reply-To: <1364525119-31791-1-git-send-email-horms+renesas@verge.net.au>
References: <1364525119-31791-1-git-send-email-horms+renesas@verge.net.au>
MIME-Version: 1.0
X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_LOW,
	RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: Magnus Damm <magnus.damm@gmail.com>
Subject: [LTSI-dev] [PATCH/RFC 080/390] drm: Be more paranoid with integer
	overflows
X-BeenThere: ltsi-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "A list to discuss patches, development,
	and other things related to the LTSI project"
	<ltsi-dev.lists.linuxfoundation.org>
List-Unsubscribe: 
 <https://lists.linuxfoundation.org/mailman/options/ltsi-dev>,
	<mailto:ltsi-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/ltsi-dev/>
List-Post: <mailto:ltsi-dev@lists.linuxfoundation.org>
List-Help: <mailto:ltsi-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/ltsi-dev>,
	<mailto:ltsi-dev-request@lists.linuxfoundation.org?subject=subscribe>
Sender: ltsi-dev-bounces@lists.linuxfoundation.org
Errors-To: ltsi-dev-bounces@lists.linuxfoundation.org

From: Ville Syrjälä <ville.syrjala@linux.intel.com>

Make sure 'width * cpp' and 'height * pitch + offset' don't exceed
UINT_MAX.

Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
(cherry picked from commit b180b5d1c7ac930387734664802fc26fa788e26f)

Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
---
 drivers/gpu/drm/drm_crtc.c |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index 9c346a5..b094abe 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -2281,13 +2281,21 @@ static int framebuffer_check(const struct drm_mode_fb_cmd2 *r)
 
 	for (i = 0; i < num_planes; i++) {
 		unsigned int width = r->width / (i != 0 ? hsub : 1);
+		unsigned int height = r->height / (i != 0 ? vsub : 1);
+		unsigned int cpp = drm_format_plane_cpp(r->pixel_format, i);
 
 		if (!r->handles[i]) {
 			DRM_DEBUG_KMS("no buffer object handle for plane %d\n", i);
 			return -EINVAL;
 		}
 
-		if (r->pitches[i] < drm_format_plane_cpp(r->pixel_format, i) * width) {
+		if ((uint64_t) width * cpp > UINT_MAX)
+			return -ERANGE;
+
+		if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX)
+			return -ERANGE;
+
+		if (r->pitches[i] < width * cpp) {
 			DRM_DEBUG_KMS("bad pitch %u for plane %d\n", r->pitches[i], i);
 			return -EINVAL;
 		}