[PATCH 5/7] drm: plane: Check crtc coodrinates against integer overflows in setplane ioctl

Jesse Barnes jbarnes at virtuousgeek.org
Fri Nov 11 09:21:00 PST 2011 

On Fri, 11 Nov 2011 19:11:39 +0200
Ville Syrjälä <ville.syrjala at linux.intel.com> wrote:

> On Fri, Nov 11, 2011 at 09:01:46AM -0800, Jesse Barnes wrote:
> > On Fri, 11 Nov 2011 18:04:05 +0200
> > ville.syrjala at linux.intel.com wrote:
> > 
> > > From: Ville Syrjälä <ville.syrjala at linux.intel.com>
> > > 
> > > Help drivers a little by guaranteeing that crtc_x+crtc_w and
> > > crtc_y+crtc_h don't overflow.
> > > 
> > > Signed-off-by: Ville Syrjälä <ville.syrjala at linux.intel.com>
> > > ---
> > >  drivers/gpu/drm/drm_crtc.c |   12 ++++++++++++
> > >  1 files changed, 12 insertions(+), 0 deletions(-)
> > > 
> > > diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
> > > index 098cc50..2410a9a 100644
> > > --- a/drivers/gpu/drm/drm_crtc.c
> > > +++ b/drivers/gpu/drm/drm_crtc.c
> > > @@ -1725,6 +1725,18 @@ int drm_mode_setplane(struct drm_device *dev, void *data,
> > >  		goto out;
> > >  	}
> > >  
> > > +	/* Give drivers some help against integer overflows */
> > > +	if (plane_req->crtc_w > INT_MAX ||
> > > +	    plane_req->crtc_x > INT_MAX - (int32_t) plane_req->crtc_w ||
> > > +	    plane_req->crtc_h > INT_MAX ||
> > > +	    plane_req->crtc_y > INT_MAX - (int32_t) plane_req->crtc_h) {
> > > +		DRM_DEBUG_KMS("Invalid CRTC coordinates %ux%u+%d+%d\n",
> > > +			      plane_req->crtc_w, plane_req->crtc_h,
> > > +			      plane_req->crtc_x, plane_req->crtc_y);
> > > +		ret = -EINVAL;
> > > +		goto out;
> > > +	}
> > > +
> > >  	ret = plane->funcs->update_plane(plane, crtc, fb,
> > >  					 plane_req->crtc_x, plane_req->crtc_y,
> > >  					 plane_req->crtc_w, plane_req->crtc_h,
> > 
> > Not sure this helps much in practice, since the drivers will have to
> > validate the target CRTC rect against the actual pipe dimensions anyway.
> 
> My master plan is that drivers would just stick these into a drm_region
> (introduced in my other patchset) and clip that to the pipe dimensions.

Ok that makes sense.  The new patchset looks really nice; having
helpers to support new chipsets and for regions should make things a
lot cleaner.

-- 
Jesse Barnes, Intel Open Source Technology Center
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/dri-devel/attachments/20111111/83c6a843/attachment.pgp>

More information about the dri-devel mailing list