|
Lines 26-31
Link Here
|
| 26 |
* Authors: |
26 |
* Authors: |
| 27 |
* Gareth Hughes <gareth@valinux.com> |
27 |
* Gareth Hughes <gareth@valinux.com> |
| 28 |
* |
28 |
* |
|
|
29 |
* Memory allocation size checks added 16/02/2004, Thomas Biege <thomas@suse.de> |
| 30 |
* |
| 29 |
*/ |
31 |
*/ |
| 30 |
|
32 |
|
| 31 |
#define __NO_VERSION__ |
33 |
#define __NO_VERSION__ |
|
Lines 938-943
static int r128_cce_dispatch_write_span(
Link Here
|
| 938 |
} |
940 |
} |
| 939 |
|
941 |
|
| 940 |
count = depth->n; |
942 |
count = depth->n; |
|
|
943 |
|
| 944 |
if( count > 4096 || count <= 0) |
| 945 |
return -EMSGSIZE; |
| 941 |
if ( copy_from_user( &x, depth->x, sizeof(x) ) ) { |
946 |
if ( copy_from_user( &x, depth->x, sizeof(x) ) ) { |
| 942 |
return -EFAULT; |
947 |
return -EFAULT; |
| 943 |
} |
948 |
} |
|
Lines 1047-1052
static int r128_cce_dispatch_write_pixel
Link Here
|
| 1047 |
} |
1052 |
} |
| 1048 |
|
1053 |
|
| 1049 |
count = depth->n; |
1054 |
count = depth->n; |
|
|
1055 |
if( count > 4096 || count <= 0 || count * sizeof(*x) <= 0 || |
| 1056 |
count * sizeof(*y) <= 0) |
| 1057 |
return -EMSGSIZE; |
| 1050 |
|
1058 |
|
| 1051 |
x = kmalloc( count * sizeof(*x), 0 ); |
1059 |
x = kmalloc( count * sizeof(*x), 0 ); |
| 1052 |
if ( x == NULL ) { |
1060 |
if ( x == NULL ) { |
|
Lines 1178-1183
static int r128_cce_dispatch_read_span(
Link Here
|
| 1178 |
} |
1186 |
} |
| 1179 |
|
1187 |
|
| 1180 |
count = depth->n; |
1188 |
count = depth->n; |
|
|
1189 |
|
| 1190 |
if ( count > 4096 || count <= 0) |
| 1191 |
return -EMSGSIZE; |
| 1181 |
if ( copy_from_user( &x, depth->x, sizeof(x) ) ) { |
1192 |
if ( copy_from_user( &x, depth->x, sizeof(x) ) ) { |
| 1182 |
return -EFAULT; |
1193 |
return -EFAULT; |
| 1183 |
} |
1194 |
} |
|
Lines 1238-1243
static int r128_cce_dispatch_read_pixels
Link Here
|
| 1238 |
if ( count > dev_priv->depth_pitch ) { |
1249 |
if ( count > dev_priv->depth_pitch ) { |
| 1239 |
count = dev_priv->depth_pitch; |
1250 |
count = dev_priv->depth_pitch; |
| 1240 |
} |
1251 |
} |
|
|
1252 |
if( count * sizeof(int) <= 0 || count * sizeof(*x) <= 0 || count * sizeof(*y) <= 0) |
| 1253 |
return -EMSGSIZE; |
| 1241 |
|
1254 |
|
| 1242 |
x = kmalloc( count * sizeof(*x), 0 ); |
1255 |
x = kmalloc( count * sizeof(*x), 0 ); |
| 1243 |
if ( x == NULL ) { |
1256 |
if ( x == NULL ) { |