diff options
author | Ville Syrjälä <ville.syrjala@linux.intel.com> | 2012-03-13 14:35:44 +0400 |
---|---|---|
committer | Dave Airlie <airlied@redhat.com> | 2012-03-15 13:50:39 +0400 |
commit | 90367bf6e98352520d15634ac4e79f0d4598cff1 (patch) | |
tree | 3a7024ae8e30e2186ca71893243fd6b4c0576f13 | |
parent | ee34ab5b01e6e7cbd9438aeb6ccbd08d3727988e (diff) | |
download | linux-90367bf6e98352520d15634ac4e79f0d4598cff1.tar.xz |
drm: Check user mode against overflows
The internal mode representation drm_display_mode uses signed data
types. When converting the user mode to internal representation,
check that the unsigned values don't overflow the signed datatypes.
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
-rw-r--r-- | drivers/gpu/drm/drm_crtc.c | 33 |
1 files changed, 28 insertions, 5 deletions
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index 9ccb92fdd7b2..4d9e69cb2354 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -1040,10 +1040,16 @@ void drm_crtc_convert_to_umode(struct drm_mode_modeinfo *out, * * Convert a drm_mode_modeinfo into a drm_display_mode structure to return to * the caller. + * + * RETURNS: + * Zero on success, errno on failure. */ -void drm_crtc_convert_umode(struct drm_display_mode *out, - struct drm_mode_modeinfo *in) +int drm_crtc_convert_umode(struct drm_display_mode *out, + struct drm_mode_modeinfo *in) { + if (in->clock > INT_MAX || in->vrefresh > INT_MAX) + return -ERANGE; + out->clock = in->clock; out->hdisplay = in->hdisplay; out->hsync_start = in->hsync_start; @@ -1060,6 +1066,8 @@ void drm_crtc_convert_umode(struct drm_display_mode *out, out->type = in->type; strncpy(out->name, in->name, DRM_DISPLAY_MODE_LEN); out->name[DRM_DISPLAY_MODE_LEN-1] = 0; + + return 0; } /** @@ -1820,7 +1828,12 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, goto out; } - drm_crtc_convert_umode(mode, &crtc_req->mode); + ret = drm_crtc_convert_umode(mode, &crtc_req->mode); + if (ret) { + DRM_DEBUG_KMS("Invalid mode\n"); + goto out; + } + drm_mode_set_crtcinfo(mode, CRTC_INTERLACE_HALVE_V); } @@ -2492,7 +2505,12 @@ int drm_mode_attachmode_ioctl(struct drm_device *dev, goto out; } - drm_crtc_convert_umode(mode, umode); + ret = drm_crtc_convert_umode(mode, umode); + if (ret) { + DRM_DEBUG_KMS("Invalid mode\n"); + drm_mode_destroy(dev, mode); + goto out; + } drm_mode_attachmode(dev, connector, mode); out: @@ -2535,7 +2553,12 @@ int drm_mode_detachmode_ioctl(struct drm_device *dev, } connector = obj_to_connector(obj); - drm_crtc_convert_umode(&mode, umode); + ret = drm_crtc_convert_umode(&mode, umode); + if (ret) { + DRM_DEBUG_KMS("Invalid mode\n"); + goto out; + } + ret = drm_mode_detachmode(dev, connector, &mode); out: mutex_unlock(&dev->mode_config.mutex); |