diff options
| author | David Herrmann <dh.herrmann@gmail.com> | 2014-08-24 13:23:26 -0400 |
|---|---|---|
| committer | Dave Airlie <airlied@redhat.com> | 2014-08-27 21:38:04 -0400 |
| commit | 00e7208997d7a42b6f7b22f582523755f43a2f9b (patch) | |
| tree | f78c53805cf874e597290c8feaa4bb7282e669bb /drivers/gpu | |
| parent | 4d6923733f158e7f8f0695b43c30c22a59ec0a34 (diff) | |
drm: fix division-by-zero on dumb_create()
Kinda unexpected, but DIV_ROUND_UP() can overflow if passed an argument
bigger than UINT_MAX - DIVISOR. Fix this by testing for "!cpp" before
using it in the following division.
Note that DIV_ROUND_UP() is defined as:
#define DIV_ROUND_UP(n,d) (((n) + (d) - 1) / (d))
..this will obviously overflow if (n + d - 1) is bigger than UINT_MAX.
Reported-by: Tommi Rantala <tt.rantala@gmail.com>
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Reviewed-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Diffstat (limited to 'drivers/gpu')
| -rw-r--r-- | drivers/gpu/drm/drm_crtc.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index fa2be249999c..90e773019eac 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c | |||
| @@ -4696,8 +4696,9 @@ int drm_mode_create_dumb_ioctl(struct drm_device *dev, | |||
| 4696 | return -EINVAL; | 4696 | return -EINVAL; |
| 4697 | 4697 | ||
| 4698 | /* overflow checks for 32bit size calculations */ | 4698 | /* overflow checks for 32bit size calculations */ |
| 4699 | /* NOTE: DIV_ROUND_UP() can overflow */ | ||
| 4699 | cpp = DIV_ROUND_UP(args->bpp, 8); | 4700 | cpp = DIV_ROUND_UP(args->bpp, 8); |
| 4700 | if (cpp > 0xffffffffU / args->width) | 4701 | if (!cpp || cpp > 0xffffffffU / args->width) |
| 4701 | return -EINVAL; | 4702 | return -EINVAL; |
| 4702 | stride = cpp * args->width; | 4703 | stride = cpp * args->width; |
| 4703 | if (args->height > 0xffffffffU / stride) | 4704 | if (args->height > 0xffffffffU / stride) |