[patch 3/4] drm/qxl: array underflow in qxl_clientcap_ioctl()
Frediano Ziglio
fziglio at redhat.com
Thu Sep 17 07:16:34 PDT 2015
>
> We check that "byte" isn't writing beyond the end of the array but we
> also need to prevent array underflow.
>
> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
>
> diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c
> b/drivers/gpu/drm/qxl/qxl_ioctl.c
> index b2db482..552dc06 100644
> --- a/drivers/gpu/drm/qxl/qxl_ioctl.c
> +++ b/drivers/gpu/drm/qxl/qxl_ioctl.c
> @@ -372,7 +372,7 @@ static int qxl_clientcap_ioctl(struct drm_device *dev,
> void *data,
> {
> struct qxl_device *qdev = dev->dev_private;
> struct drm_qxl_clientcap *param = data;
> - int byte, idx;
> + unsigned int byte, idx;
>
> byte = param->index / 8;
> idx = param->index % 8;
>
Actually there is no underflow. param->index is unsigned so either byte and
idx are at the end positive as long as int is not less then 4 bytes (which
I don't think is supported under Linux).
However I agree with the patch.
Acked!
Frediano Ziglio
More information about the dri-devel
mailing list