diff options
| author | Aaro Koskinen <aaro.koskinen@iki.fi> | 2012-09-11 17:44:37 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-09-12 12:45:58 -0400 |
| commit | a09f347c6cc0b2821557d1346c4733cc78a79ffa (patch) | |
| tree | 3d5e09a361d5e3c4f00cee44b0a887f9dbd87821 | |
| parent | f325129ae9006298cfbeffb669b30f57ba0cc3c4 (diff) | |
staging: xgifb: validate the mode against video memory size
It's possible to select video mode that exceeds the available video
memory. This is potentially dangerous, fix by adding a check.
The patch fixes system hangs seen occasionally when playing random videos
with mplayer.
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/staging/xgifb/XGI_main_26.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/drivers/staging/xgifb/XGI_main_26.c b/drivers/staging/xgifb/XGI_main_26.c index 7fc3049a709c..ba6c3475a517 100644 --- a/drivers/staging/xgifb/XGI_main_26.c +++ b/drivers/staging/xgifb/XGI_main_26.c | |||
| @@ -329,6 +329,7 @@ static int XGIfb_validate_mode(struct xgifb_video_info *xgifb_info, int myindex) | |||
| 329 | { | 329 | { |
| 330 | u16 xres, yres; | 330 | u16 xres, yres; |
| 331 | struct xgi_hw_device_info *hw_info = &xgifb_info->hw_info; | 331 | struct xgi_hw_device_info *hw_info = &xgifb_info->hw_info; |
| 332 | unsigned long required_mem; | ||
| 332 | 333 | ||
| 333 | if (xgifb_info->chip == XG21) { | 334 | if (xgifb_info->chip == XG21) { |
| 334 | if (xgifb_info->display2 == XGIFB_DISP_LCD) { | 335 | if (xgifb_info->display2 == XGIFB_DISP_LCD) { |
| @@ -345,13 +346,13 @@ static int XGIfb_validate_mode(struct xgifb_video_info *xgifb_info, int myindex) | |||
| 345 | } | 346 | } |
| 346 | 347 | ||
| 347 | } | 348 | } |
| 348 | return myindex; | 349 | goto check_memory; |
| 349 | 350 | ||
| 350 | } | 351 | } |
| 351 | 352 | ||
| 352 | /* FIXME: for now, all is valid on XG27 */ | 353 | /* FIXME: for now, all is valid on XG27 */ |
| 353 | if (xgifb_info->chip == XG27) | 354 | if (xgifb_info->chip == XG27) |
| 354 | return myindex; | 355 | goto check_memory; |
| 355 | 356 | ||
| 356 | if (!(XGIbios_mode[myindex].chipset & MD_XGI315)) | 357 | if (!(XGIbios_mode[myindex].chipset & MD_XGI315)) |
| 357 | return -1; | 358 | return -1; |
| @@ -539,6 +540,12 @@ static int XGIfb_validate_mode(struct xgifb_video_info *xgifb_info, int myindex) | |||
| 539 | case XGIFB_DISP_NONE: | 540 | case XGIFB_DISP_NONE: |
| 540 | break; | 541 | break; |
| 541 | } | 542 | } |
| 543 | |||
| 544 | check_memory: | ||
| 545 | required_mem = XGIbios_mode[myindex].xres * XGIbios_mode[myindex].yres * | ||
| 546 | XGIbios_mode[myindex].bpp / 8; | ||
| 547 | if (required_mem > xgifb_info->video_size) | ||
| 548 | return -1; | ||
| 542 | return myindex; | 549 | return myindex; |
| 543 | 550 | ||
| 544 | } | 551 | } |