[PATCH libdrm 1/1] amdgpu: Do not write beyond allocated memory when parsing ids
Jan Vesely
jan.vesely at rutgers.edu
Fri Sep 1 19:05:18 UTC 2017
Fixes crash when/usr/share/libdrm/amdgpu.ids contains ASIC_ID_TABLE_NUM_ENTRIES + 1 entries.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=102432
Signed-off-by: Jan Vesely <jan.vesely at rutgers.edu>
---
Compile tested only.
amdgpu/amdgpu_asic_id.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/amdgpu/amdgpu_asic_id.c b/amdgpu/amdgpu_asic_id.c
index 3a88896b..e8218974 100644
--- a/amdgpu/amdgpu_asic_id.c
+++ b/amdgpu/amdgpu_asic_id.c
@@ -186,19 +186,20 @@ int amdgpu_parse_asic_ids(struct amdgpu_asic_id **p_asic_id_table)
table_size++;
}
- /* end of table */
- id = asic_id_table + table_size;
- memset(id, 0, sizeof(struct amdgpu_asic_id));
-
if (table_size != table_max_size) {
id = realloc(asic_id_table, (table_size + 1) *
sizeof(struct amdgpu_asic_id));
- if (!id)
+ if (!id) {
r = -ENOMEM;
- else
- asic_id_table = id;
+ goto free;
+ }
+ asic_id_table = id;
}
+ /* end of table */
+ id = asic_id_table + table_size;
+ memset(id, 0, sizeof(struct amdgpu_asic_id));
+
free:
free(line);
--
2.13.5
More information about the dri-devel
mailing list