Bugzilla – Attachment 16028 Details for
Bug 48945
VUL-0: CVE-2004-0003: kernel: DRI: 3 bugs
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
[patch]
drm_r128_state.c.diff (drm subdirec)
drm_r128_state.c.diff (text/plain), 2.09 KB, created by
Thomas Biege
on 2004-02-17 23:32:02 UTC
(
hide
)
Description:
drm_r128_state.c.diff (drm subdirec)
Filename:
MIME Type:
Creator:
Thomas Biege
Created:
2004-02-17 23:32:02 UTC
Size:
2.09 KB
patch
obsolete
>--- r128_state.c.bak 2004-02-16 15:39:53.000000000 +0100 >+++ r128_state.c 2004-02-16 17:22:35.000000000 +0100 >@@ -23,8 +23,22 @@ > * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER > * DEALINGS IN THE SOFTWARE. > * >+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR >+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, >+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL >+ * RED HAT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR >+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, >+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER >+ * DEALINGS IN THE SOFTWARE. >+ * >+ * THIS SOFTWARE IS NOT INTENDED FOR USE IN SAFETY CRITICAL SYSTEMS >+ * > * Authors: > * Gareth Hughes <gareth@valinux.com> >+ * >+ * Memory allocation size checks added 14/01/2003, Alan Cox <alan@redhat.com> >+ * Memory allocation size checks enhanced 16/02/2004, Thomas Biege <thomas@suse.de> >+ * > */ > > #include "r128.h" >@@ -902,6 +916,9 @@ static int r128_cce_dispatch_write_span( > DRM_DEBUG( "%s\n", __FUNCTION__ ); > > count = depth->n; >+ >+ if( count > 4096 || count <= 0) >+ return -EMSGSIZE; > if ( copy_from_user( &x, depth->x, sizeof(x) ) ) { > return -EFAULT; > } >@@ -996,6 +1013,9 @@ static int r128_cce_dispatch_write_pixel > > count = depth->n; > >+ if( count > 4096 || count <= 0) >+ return -EMSGSIZE; >+ > x = kmalloc( count * sizeof(*x), GFP_KERNEL ); > if ( x == NULL ) { > return -ENOMEM; >@@ -1110,6 +1130,9 @@ static int r128_cce_dispatch_read_span( > DRM_DEBUG( "%s\n", __FUNCTION__ ); > > count = depth->n; >+ >+ if ( count > 4096 || count <= 0) >+ return -EMSGSIZE; > if ( copy_from_user( &x, depth->x, sizeof(x) ) ) { > return -EFAULT; > } >@@ -1155,7 +1178,10 @@ static int r128_cce_dispatch_read_pixels > if ( count > dev_priv->depth_pitch ) { > count = dev_priv->depth_pitch; > } >+ if( count * sizeof(int) <= 0 || count * sizeof(*x) <= 0 || count * sizeof(*y) <= 0) >+ return -EMSGSIZE; > >+ > x = kmalloc( count * sizeof(*x), GFP_KERNEL ); > if ( x == NULL ) { > return -ENOMEM;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16028">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 48945
:
15651
| 16028 |
16029