Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 36274ab8 authored by Murray McAllister's avatar Murray McAllister Committed by Thomas Hellstrom
Browse files

drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl() 



Before memory allocations vmw_surface_define_ioctl() checks the
upper-bounds of a user-supplied size, but does not check if the
supplied size is 0.

Add check to avoid NULL pointer dereferences.

Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarMurray McAllister <murray.mcallister@insomniasec.com>
Reviewed-by: default avatarSinclair Yeh <syeh@vmware.com>
parent f7652afa

drivers/gpu/drm/vmwgfx/vmwgfx_surface.c

+2 −2
Original line number Original line Diff line number Diff line
@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, 
	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)

	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)

		num_sizes += req->mip_levels[i];

		num_sizes += req->mip_levels[i];





	if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *

	if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||

	    DRM_VMW_MAX_MIP_LEVELS)

	    num_sizes == 0)

		return -EINVAL;

		return -EINVAL;





	size = vmw_user_surface_size + 128 +

	size = vmw_user_surface_size + 128 +