diff -urNp --exclude CVS --exclude BitKeeper --exclude {arch} --exclude .arch-ids xx/drivers/char/drm/r128_state.c x/drivers/char/drm/r128_state.c --- xx/drivers/char/drm/r128_state.c 2003-11-28 23:12:35.000000000 +0100 +++ x/drivers/char/drm/r128_state.c 2004-05-31 16:31:02.304890160 +0200 @@ -23,8 +23,22 @@ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER * DEALINGS IN THE SOFTWARE. * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * RED HAT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR + * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, + * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + * + * THIS SOFTWARE IS NOT INTENDED FOR USE IN SAFETY CRITICAL SYSTEMS + * * Authors: * Gareth Hughes + * + * Memory allocation size checks added 14/01/2003, Alan Cox + * Memory allocation size checks enhanced 16/02/2004, Thomas Biege + * */ #include "r128.h" @@ -901,6 +915,9 @@ static int r128_cce_dispatch_write_span( DRM_DEBUG( "%s\n", __FUNCTION__ ); count = depth->n; + + if( count > 4096 || count <= 0) + return -EMSGSIZE; if ( copy_from_user( &x, depth->x, sizeof(x) ) ) { return -EFAULT; } @@ -995,6 +1012,9 @@ static int r128_cce_dispatch_write_pixel count = depth->n; + if( count > 4096 || count <= 0) + return -EMSGSIZE; + x = kmalloc( count * sizeof(*x), GFP_KERNEL ); if ( x == NULL ) { return -ENOMEM; @@ -1109,6 +1129,9 @@ static int r128_cce_dispatch_read_span( DRM_DEBUG( "%s\n", __FUNCTION__ ); count = depth->n; + + if ( count > 4096 || count <= 0) + return -EMSGSIZE; if ( copy_from_user( &x, depth->x, sizeof(x) ) ) { return -EFAULT; } @@ -1151,10 +1174,15 @@ static int r128_cce_dispatch_read_pixels DRM_DEBUG( "%s\n", __FUNCTION__ ); count = depth->n; + if ( count > 4096 || count <= 0) + return -EMSGSIZE; if ( count > dev_priv->depth_pitch ) { count = dev_priv->depth_pitch; } + if( count * sizeof(int) <= 0 || count * sizeof(*x) <= 0 || count * sizeof(*y) <= 0) + return -EMSGSIZE; + x = kmalloc( count * sizeof(*x), GFP_KERNEL ); if ( x == NULL ) { return -ENOMEM; diff -urNp --exclude CVS --exclude BitKeeper --exclude {arch} --exclude .arch-ids xx/drivers/char/drm-4.0/r128_state.c x/drivers/char/drm-4.0/r128_state.c --- xx/drivers/char/drm-4.0/r128_state.c 2003-03-15 03:25:01.000000000 +0100 +++ x/drivers/char/drm-4.0/r128_state.c 2004-05-31 16:31:03.833657752 +0200 @@ -26,6 +26,8 @@ * Authors: * Gareth Hughes * + * Memory allocation size checks added 16/02/2004, Thomas Biege + * */ #define __NO_VERSION__ @@ -938,6 +940,9 @@ static int r128_cce_dispatch_write_span( } count = depth->n; + + if( count > 4096 || count <= 0) + return -EMSGSIZE; if ( copy_from_user( &x, depth->x, sizeof(x) ) ) { return -EFAULT; } @@ -1047,6 +1052,9 @@ static int r128_cce_dispatch_write_pixel } count = depth->n; + if( count > 4096 || count <= 0 || count * sizeof(*x) <= 0 || + count * sizeof(*y) <= 0) + return -EMSGSIZE; x = kmalloc( count * sizeof(*x), 0 ); if ( x == NULL ) { @@ -1178,6 +1186,9 @@ static int r128_cce_dispatch_read_span( } count = depth->n; + + if ( count > 4096 || count <= 0) + return -EMSGSIZE; if ( copy_from_user( &x, depth->x, sizeof(x) ) ) { return -EFAULT; } @@ -1235,9 +1246,13 @@ static int r128_cce_dispatch_read_pixels } count = depth->n; + if ( count > 4096 || count <= 0) + return -EMSGSIZE; if ( count > dev_priv->depth_pitch ) { count = dev_priv->depth_pitch; } + if( count * sizeof(int) <= 0 || count * sizeof(*x) <= 0 || count * sizeof(*y) <= 0) + return -EMSGSIZE; x = kmalloc( count * sizeof(*x), 0 ); if ( x == NULL ) {