[PATCH libdrm 1/1] amdgpu: Do not write beyond allocated memory when parsing ids
Michel Dänzer
michel at daenzer.net
Tue Sep 5 03:32:05 UTC 2017
On 02/09/17 04:05 AM, Jan Vesely wrote:
> Fixes crash when/usr/share/libdrm/amdgpu.ids contains ASIC_ID_TABLE_NUM_ENTRIES + 1 entries.
>
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=102432
> Signed-off-by: Jan Vesely <jan.vesely at rutgers.edu>
Thanks for the good catch.
> diff --git a/amdgpu/amdgpu_asic_id.c b/amdgpu/amdgpu_asic_id.c
> index 3a88896b..e8218974 100644
> --- a/amdgpu/amdgpu_asic_id.c
> +++ b/amdgpu/amdgpu_asic_id.c
> @@ -186,19 +186,20 @@ int amdgpu_parse_asic_ids(struct amdgpu_asic_id **p_asic_id_table)
> table_size++;
> }
>
> - /* end of table */
> - id = asic_id_table + table_size;
> - memset(id, 0, sizeof(struct amdgpu_asic_id));
> -
> if (table_size != table_max_size) {
> id = realloc(asic_id_table, (table_size + 1) *
> sizeof(struct amdgpu_asic_id));
> - if (!id)
> + if (!id) {
> r = -ENOMEM;
> - else
> - asic_id_table = id;
> + goto free;
> + }
> + asic_id_table = id;
> }
>
> + /* end of table */
> + id = asic_id_table + table_size;
> + memset(id, 0, sizeof(struct amdgpu_asic_id));
> +
> free:
> free(line);
>
>
Reviewed-by: Michel Dänzer <michel.daenzer at amd.com>
--
Earthling Michel Dänzer | http://www.amd.com
Libre software enthusiast | Mesa and X developer
More information about the dri-devel
mailing list