[PATCH libdrm 1/1] amdgpu: Do not write beyond allocated memory when parsing ids

Jan Vesely jan.vesely at rutgers.edu
Fri Sep 1 19:05:18 UTC 2017


Fixes crash when/usr/share/libdrm/amdgpu.ids contains ASIC_ID_TABLE_NUM_ENTRIES + 1 entries.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=102432
Signed-off-by: Jan Vesely <jan.vesely at rutgers.edu>
---
Compile tested only.

 amdgpu/amdgpu_asic_id.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/amdgpu/amdgpu_asic_id.c b/amdgpu/amdgpu_asic_id.c
index 3a88896b..e8218974 100644
--- a/amdgpu/amdgpu_asic_id.c
+++ b/amdgpu/amdgpu_asic_id.c
@@ -186,19 +186,20 @@ int amdgpu_parse_asic_ids(struct amdgpu_asic_id **p_asic_id_table)
 		table_size++;
 	}
 
-	/* end of table */
-	id = asic_id_table + table_size;
-	memset(id, 0, sizeof(struct amdgpu_asic_id));
-
 	if (table_size != table_max_size) {
 		id = realloc(asic_id_table, (table_size + 1) *
 			     sizeof(struct amdgpu_asic_id));
-		if (!id)
+		if (!id) {
 			r = -ENOMEM;
-		else
-			asic_id_table = id;
+			goto free;
+		}
+		asic_id_table = id;
         }
 
+	/* end of table */
+	id = asic_id_table + table_size;
+	memset(id, 0, sizeof(struct amdgpu_asic_id));
+
 free:
 	free(line);
 
-- 
2.13.5



More information about the dri-devel mailing list