From: ville.syrjala@linux.intel.com
To: dri-devel@lists.freedesktop.org
Subject: [PATCH 01/51] drm: Be more paranoid with integer overflows
Date: Thu, 25 Oct 2012 21:05:04 +0300 [thread overview]
Message-ID: <1351188354-24233-2-git-send-email-ville.syrjala@linux.intel.com> (raw)
In-Reply-To: <1351188354-24233-1-git-send-email-ville.syrjala@linux.intel.com>
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
Make sure 'width * cpp' and 'height * pitch + offset' don't exceed
UINT_MAX.
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
---
drivers/gpu/drm/drm_crtc.c | 10 +++++++++-
1 files changed, 9 insertions(+), 1 deletions(-)
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index ef1b221..d9a639c 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -2280,13 +2280,21 @@ static int framebuffer_check(const struct drm_mode_fb_cmd2 *r)
for (i = 0; i < num_planes; i++) {
unsigned int width = r->width / (i != 0 ? hsub : 1);
+ unsigned int height = r->height / (i != 0 ? vsub : 1);
+ unsigned int cpp = drm_format_plane_cpp(r->pixel_format, i);
if (!r->handles[i]) {
DRM_DEBUG_KMS("no buffer object handle for plane %d\n", i);
return -EINVAL;
}
- if (r->pitches[i] < drm_format_plane_cpp(r->pixel_format, i) * width) {
+ if ((uint64_t) width * cpp > UINT_MAX)
+ return -ERANGE;
+
+ if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX)
+ return -ERANGE;
+
+ if (r->pitches[i] < width * cpp) {
DRM_DEBUG_KMS("bad pitch %u for plane %d\n", r->pitches[i], i);
return -EINVAL;
}
--
1.7.8.6
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2012-10-25 18:06 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-25 18:05 [PATCH 00/51] Atomic mode setting and page flip ville.syrjala
2012-10-25 18:05 ` ville.syrjala [this message]
2012-10-25 18:05 ` [PATCH 02/51] drm: Constify some function arguments ville.syrjala
2012-10-25 18:05 ` [PATCH 03/51] drm: Ignore blob propertys in drm_property_change_is_valid() ville.syrjala
2012-10-25 18:05 ` [PATCH 04/51] drm: Add struct drm_region and assorted utility functions ville.syrjala
2012-10-25 18:05 ` [PATCH 05/51] drm: Add drm_calc_{hscale, vscale}() " ville.syrjala
2012-10-25 18:05 ` [PATCH 06/51] drm: Keep a copy of last plane coordinates ville.syrjala
2012-10-25 18:05 ` [PATCH 07/51] drm: Add restore_fbdev_mode() hook to drm_fb_helper ville.syrjala
2012-10-25 18:05 ` [PATCH 08/51] drm: Export drm_property_create_blob() and drm_property_destroy_blob() ville.syrjala
2012-10-25 18:05 ` [PATCH 09/51] drm: Allow signed values for range properties ville.syrjala
2012-10-25 18:05 ` [PATCH 10/51] drm: Allow drm_mode_object_find() to look up an object of any type ville.syrjala
2012-10-25 18:05 ` [PATCH 11/51] drm: Export drm_encoder_crtc_ok ville.syrjala
2012-10-25 18:05 ` [PATCH 12/51] drm: Export drm_crtc_prepare_encoders() ville.syrjala
2012-10-25 18:05 ` [PATCH 13/51] drm: Refactor object property check code ville.syrjala
2012-10-25 18:05 ` [PATCH 14/51] drm: Export mode<->umode conversion functions ville.syrjala
2012-10-25 18:05 ` [PATCH 15/51] drm: Make blobs resizeable ville.syrjala
2012-10-25 18:05 ` [PATCH 16/51] drm: Add drm_flip helper ville.syrjala
2012-10-25 18:05 ` [PATCH 17/51] drm: Add mode_blob and connector_ids_blob to drm_crtc ville.syrjala
2012-10-25 18:05 ` [PATCH 18/51] drm: Add the atomic modeset ioctl ville.syrjala
2012-10-25 18:05 ` [PATCH 19/51] drm/i915: Fix display pixel format handling ville.syrjala
2012-10-25 18:05 ` [PATCH 20/51] drm/i915: Add SURFLIVE register definitions ville.syrjala
2012-10-25 18:05 ` [PATCH 21/51] drm/i915: Implement execbuffer wait for all planes ville.syrjala
2012-10-25 18:05 ` [PATCH 22/51] drm/i915: Check framebuffer stride more thoroughly ville.syrjala
2012-10-25 18:05 ` [PATCH 23/51] drm/i915: Check the framebuffer offset ville.syrjala
2012-10-25 18:05 ` [PATCH 24/51] drm/i915: Handle framebuffer offsets[] ville.syrjala
2012-10-25 18:05 ` [PATCH 25/51] drm/i915: Implement proper clipping for video sprites ville.syrjala
2012-10-25 18:05 ` [PATCH 26/51] drm/i915: pixel_size == cpp ville.syrjala
2012-10-25 18:05 ` [PATCH 27/51] drm/i915: Bad pixel formats can't reach the sprite code ville.syrjala
2012-10-25 18:05 ` [PATCH 28/51] drm/i915: Implement restore_fbdev_mode hook ville.syrjala
2012-10-25 18:05 ` [PATCH 29/51] drm/i915: Split clipping and checking from update_plane hook ville.syrjala
2012-10-25 18:05 ` [PATCH 30/51] drm/i915: Factor out i9xx_compute_clocks() like ironlake_compute_clocks() ville.syrjala
2012-10-25 18:05 ` [PATCH 31/51] drm/i915: Consitify adjusted_mode parameter ville.syrjala
2012-10-25 18:05 ` [PATCH 32/51] drm/i915: Add intel_check_clock() ville.syrjala
2012-10-25 18:05 ` [PATCH 33/51] drm/i915: store cursor_handle in struct intel_crtc ville.syrjala
2012-10-25 18:05 ` [PATCH 34/51] drm/i915: split cursor setting code into prepare/commit/unref parts ville.syrjala
2012-10-25 18:05 ` [PATCH 35/51] drm/i915: unstatic cursor functions for use with atomic modesetting ville.syrjala
2012-10-25 18:05 ` [PATCH 36/51] drm/i915: Unstatic intel_finish_fb() ville.syrjala
2012-10-25 18:05 ` [PATCH 37/51] drm/i915: Pull intel_pipe_set_base() out of the crtc_mode_set() functions ville.syrjala
2012-10-25 18:05 ` [PATCH 38/51] drm/i915: Unstatic intel_crtc_update_sarea() ville.syrjala
2012-10-25 18:05 ` [PATCH 39/51] drm/i915: Introduce intel_crtc_update_sarea_pos() ville.syrjala
2012-10-25 18:05 ` [PATCH 40/51] drm/i915: Constify mode argument to intel_modeset_adjusted_mode() ville.syrjala
2012-10-25 18:05 ` [PATCH 41/51] drm/i915: Unstatic intel_crtc_mode_fixup() ville.syrjala
2012-10-25 18:05 ` [PATCH 42/51] drm/i915: Introduce intel_plane_regs ville.syrjala
2012-10-25 18:05 ` [PATCH 43/51] drm/i915: Split primary plane update_plane() into calc+commit phases ville.syrjala
2012-10-25 18:05 ` [PATCH 44/51] drm/i915: Split sprite " ville.syrjala
2012-10-25 18:05 ` [PATCH 45/51] drm/i915: Implement atomic modesetting ville.syrjala
2012-10-25 18:05 ` [PATCH 46/51] drm/i915: Add support for atomic modesetting completion events ville.syrjala
2012-11-01 11:12 ` Daniel Vetter
2012-11-01 14:39 ` Jesse Barnes
2012-11-01 17:07 ` Ville Syrjälä
2012-11-01 17:12 ` Jesse Barnes
2012-11-01 22:39 ` Daniel Vetter
2012-11-02 9:10 ` Ville Syrjälä
2012-11-07 20:29 ` Rob Clark
2012-11-09 21:20 ` Daniel Vetter
2012-11-09 21:25 ` Rob Clark
2012-10-25 18:05 ` [PATCH 47/51] drm/i915: Add atomic page flip support ville.syrjala
2012-10-25 18:05 ` [PATCH 48/51] drm/i915: Unstatic intel_enable_primary() and intel_disable_primary() ville.syrjala
2012-10-25 18:05 ` [PATCH 49/51] drm/i915: Respect primary_disabled in crtc_enable() ville.syrjala
2012-10-25 18:05 ` [PATCH 50/51] drm/i915: Enable/disable primary plane in calc_plane() ville.syrjala
2012-10-25 18:05 ` [PATCH 51/51] drm/i915: Add primary plane disable logic to atomic mode setting code ville.syrjala
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1351188354-24233-2-git-send-email-ville.syrjala@linux.intel.com \
--to=ville.syrjala@linux.intel.com \
--cc=dri-devel@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).