Commit 00e72089 authored by David Herrmann's avatar David Herrmann Committed by Dave Airlie

drm: fix division-by-zero on dumb_create()

Kinda unexpected, but DIV_ROUND_UP() can overflow if passed an argument
bigger than UINT_MAX - DIVISOR. Fix this by testing for "!cpp" before
using it in the following division.

Note that DIV_ROUND_UP() is defined as:
        #define DIV_ROUND_UP(n,d) (((n) + (d) - 1) / (d))

..this will obviously overflow if (n + d - 1) is bigger than UINT_MAX.
Reported-by: default avatarTommi Rantala <tt.rantala@gmail.com>
Signed-off-by: default avatarDavid Herrmann <dh.herrmann@gmail.com>
Reviewed-by: default avatarRob Clark <robdclark@gmail.com>
Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
parent 4d692373
......@@ -4696,8 +4696,9 @@ int drm_mode_create_dumb_ioctl(struct drm_device *dev,
return -EINVAL;
/* overflow checks for 32bit size calculations */
/* NOTE: DIV_ROUND_UP() can overflow */
cpp = DIV_ROUND_UP(args->bpp, 8);
if (cpp > 0xffffffffU / args->width)
if (!cpp || cpp > 0xffffffffU / args->width)
return -EINVAL;
stride = cpp * args->width;
if (args->height > 0xffffffffU / stride)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment