This got fixed in 2.4, but somehow got missed in 2.6.
http://icat.nist.gov/icat.cfm?cvename=CAN-2004-0003 has more info.
Dave
--- linux-2.6.3/drivers/char/drm/r128_state.c~ 2004-03-09 16:12:59.000000000 +0000
+++ linux-2.6.3/drivers/char/drm/r128_state.c 2004-03-09 16:13:42.000000000 +0000
@@ -915,6 +915,9 @@
DRM_DEBUG( "\n" );
count = depth->n;
+ if (count > 4096 || count <= 0)
+ return -EMSGSIZE;
+
if ( DRM_COPY_FROM_USER( &x, depth->x, sizeof(x) ) ) {
return DRM_ERR(EFAULT);
}
@@ -1008,6 +1011,8 @@
DRM_DEBUG( "\n" );
count = depth->n;
+ if (count > 4096 || count <= 0)
+ return -EMSGSIZE;
xbuf_size = count * sizeof(*x);
ybuf_size = count * sizeof(*y);
@@ -1125,6 +1130,9 @@
DRM_DEBUG( "\n" );
count = depth->n;
+ if (count > 4096 || count <= 0)
+ return -EMSGSIZE;
+
if ( DRM_COPY_FROM_USER( &x, depth->x, sizeof(x) ) ) {
return DRM_ERR(EFAULT);
}
@@ -1167,6 +1175,9 @@
DRM_DEBUG( "%s\n", __FUNCTION__ );
count = depth->n;
+ if (count > 4096 || count <= 0)
+ return -EMSGSIZE;
+
if ( count > dev_priv->depth_pitch ) {
count = dev_priv->depth_pitch;
}
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
--
_______________________________________________
Dri-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/dri-devel
