[patch 3/4] drm/qxl: array underflow in qxl_clientcap_ioctl()

Frediano Ziglio fziglio at redhat.com
Thu Sep 17 07:16:34 PDT 2015


> 
> We check that "byte" isn't writing beyond the end of the array but we
> also need to prevent array underflow.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
> 
> diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c
> b/drivers/gpu/drm/qxl/qxl_ioctl.c
> index b2db482..552dc06 100644
> --- a/drivers/gpu/drm/qxl/qxl_ioctl.c
> +++ b/drivers/gpu/drm/qxl/qxl_ioctl.c
> @@ -372,7 +372,7 @@ static int qxl_clientcap_ioctl(struct drm_device *dev,
> void *data,
>  {
>  	struct qxl_device *qdev = dev->dev_private;
>  	struct drm_qxl_clientcap *param = data;
> -	int byte, idx;
> +	unsigned int byte, idx;
>  
>  	byte = param->index / 8;
>  	idx = param->index % 8;
> 

Actually there is no underflow. param->index is unsigned so either byte and
idx are at the end positive as long as int is not less then 4 bytes (which
I don't think is supported under Linux).

However I agree with the patch.

Acked!

Frediano Ziglio


More information about the dri-devel mailing list