* [PATCH] A patch to viafbdev.c
@ 2013-12-17 16:57 objectkuan
0 siblings, 0 replies; only message in thread
From: objectkuan @ 2013-12-17 16:57 UTC (permalink / raw)
To: linux-fbdev
There is a potential integer overflow in viafb_ioctl() if
users pass an unexpected value to viafb_second_size. An if
statement might be a simple solution to this issue.
Signed-off-by: objectkuan <objectkuan@gmail.com>
---
drivers/video/via/viafbdev.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/video/via/viafbdev.c b/drivers/video/via/viafbdev.c
index 325c43c..382368e 100644
--- a/drivers/video/via/viafbdev.c
+++ b/drivers/video/via/viafbdev.c
@@ -463,6 +463,10 @@ static int viafb_ioctl(struct fb_info *info, u_int cmd, u_long arg)
u.viasamm.size_prim = viaparinfo->fbmem_free;
u.viasamm.size_sec = viaparinfo1->fbmem_free;
} else {
+ if (0 > viafb_second_size
+ || viafb_second_size > INT_MAX / 1024 / 1024) {
+ return -EFAULT;
+ }
if (viafb_second_size) {
u.viasamm.size_prim viaparinfo->fbmem_free -
@@ -1819,6 +1822,10 @@ int via_fb_pci_probe(struct viafb_dev *vdev)
default_var.accel_flags = 0;
}
+ if (0 > viafb_second_size
+ || viafb_second_size > INT_MAX / 1024 / 1024) {
+ return -EFAULT;
+ }
if (viafb_second_size && (viafb_second_size < 8)) {
viafb_second_offset = viaparinfo->fbmem_free -
viafb_second_size * 1024 * 1024;
--
1.7.9.5
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2013-12-17 16:57 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-17 16:57 [PATCH] A patch to viafbdev.c objectkuan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).