drm/savage: fix integer overflows in savage_bci_cmdbuf() (6587eb82) · Commits · e / devices / android_kernel_xiaomi_markw

drivers/gpu/drm/savage/savage_state.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -988,7 +988,7 @@ int savage_bci_cmdbuf(struct drm_device dev, void data, struct drm_file *file_
		* for locking on FreeBSD.
		*/
		if (cmdbuf->size) {
		kcmd_addr = kmalloc(cmdbuf->size * 8, GFP_KERNEL);
		kcmd_addr = kmalloc_array(cmdbuf->size, 8, GFP_KERNEL);
		if (kcmd_addr == NULL)
		return -ENOMEM;

		@@ -1015,7 +1015,7 @@ int savage_bci_cmdbuf(struct drm_device dev, void data, struct drm_file *file_
		cmdbuf->vb_addr = kvb_addr;
		}
		if (cmdbuf->nbox) {
		kbox_addr = kmalloc(cmdbuf->nbox * sizeof(struct drm_clip_rect),
		kbox_addr = kmalloc_array(cmdbuf->nbox, sizeof(struct drm_clip_rect),
		GFP_KERNEL);
		if (kbox_addr == NULL) {
		ret = -ENOMEM;