diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2018-05-16 17:00:26 +0300 |
---|---|---|
committer | Daniel Vetter <daniel.vetter@ffwll.ch> | 2018-05-16 18:56:06 +0300 |
commit | 2b6207291b7b277a5df9d1aab44b56815a292dba (patch) | |
tree | e82d043e6e1cdd9a0a94b95023e8cd786d8217de /.cocciconfig | |
parent | 72cb0d893343cd33e6ab62cf26f2625d5d3532c9 (diff) | |
download | linux-2b6207291b7b277a5df9d1aab44b56815a292dba.tar.xz |
drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl()
There is a comment here which says that DIV_ROUND_UP() and that's where
the problem comes from. Say you pick:
args->bpp = UINT_MAX - 7;
args->width = 4;
args->height = 1;
The integer overflow in DIV_ROUND_UP() means "cpp" is UINT_MAX / 8 and
because of how we picked args->width that means cpp < UINT_MAX / 4.
I've fixed it by preventing the integer overflow in DIV_ROUND_UP(). I
removed the check for !cpp because it's not possible after this change.
I also changed all the 0xffffffffU references to U32_MAX.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20180516140026.GA19340@mwanda
Diffstat (limited to '.cocciconfig')
0 files changed, 0 insertions, 0 deletions