diff options
| author | Jeff Hartmann <jhartmann@valinux.com> | 2001-06-18 19:25:15 +0000 |
|---|---|---|
| committer | Jeff Hartmann <jhartmann@valinux.com> | 2001-06-18 19:25:15 +0000 |
| commit | 12e9c636dfb4fbaf229e884afa8febaecd79b475 (patch) | |
| tree | ceb34c08a329bf1f7f973708a6b31a9ae5b3b1cc | |
| parent | b1a588f0cc9cd7b4f5b2150f03722ac09b7e8989 (diff) | |
Fix 5 security bugs found by the Stanford tools
| -rw-r--r-- | linux-core/i810_dma.c | 4 | ||||
| -rw-r--r-- | linux/i810_dma.c | 4 | ||||
| -rw-r--r-- | linux/mga_state.c | 4 |
3 files changed, 10 insertions, 2 deletions
diff --git a/linux-core/i810_dma.c b/linux-core/i810_dma.c index 25caca6b..8abf80ad 100644 --- a/linux-core/i810_dma.c +++ b/linux-core/i810_dma.c @@ -1094,6 +1094,8 @@ int i810_dma_vertex(struct inode *inode, struct file *filp, DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n", vertex.idx, vertex.used, vertex.discard); + if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL; + i810_dma_dispatch_vertex( dev, dma->buflist[ vertex.idx ], vertex.discard, vertex.used ); @@ -1222,7 +1224,7 @@ int i810_copybuf(struct inode *inode, struct file *filp, unsigned int cmd, if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d))) return -EFAULT; - if(d.idx > dma->buf_count) return -EINVAL; + if(d.idx < 0 || d.idx > dma->buf_count) return -EINVAL; buf = dma->buflist[ d.idx ]; buf_priv = buf->dev_private; if (buf_priv->currently_mapped != I810_BUF_MAPPED) return -EPERM; diff --git a/linux/i810_dma.c b/linux/i810_dma.c index 25caca6b..8abf80ad 100644 --- a/linux/i810_dma.c +++ b/linux/i810_dma.c @@ -1094,6 +1094,8 @@ int i810_dma_vertex(struct inode *inode, struct file *filp, DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n", vertex.idx, vertex.used, vertex.discard); + if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL; + i810_dma_dispatch_vertex( dev, dma->buflist[ vertex.idx ], vertex.discard, vertex.used ); @@ -1222,7 +1224,7 @@ int i810_copybuf(struct inode *inode, struct file *filp, unsigned int cmd, if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d))) return -EFAULT; - if(d.idx > dma->buf_count) return -EINVAL; + if(d.idx < 0 || d.idx > dma->buf_count) return -EINVAL; buf = dma->buflist[ d.idx ]; buf_priv = buf->dev_private; if (buf_priv->currently_mapped != I810_BUF_MAPPED) return -EPERM; diff --git a/linux/mga_state.c b/linux/mga_state.c index 99778c58..41b2e9a1 100644 --- a/linux/mga_state.c +++ b/linux/mga_state.c @@ -943,6 +943,7 @@ int mga_dma_vertex( struct inode *inode, struct file *filp, sizeof(vertex) ) ) return -EFAULT; + if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL; buf = dma->buflist[vertex.idx]; buf_priv = buf->dev_private; @@ -984,6 +985,8 @@ int mga_dma_indices( struct inode *inode, struct file *filp, sizeof(indices) ) ) return -EFAULT; + if(indices.idx < 0 || indices.idx > dma->buf_count) return -EINVAL; + buf = dma->buflist[indices.idx]; buf_priv = buf->dev_private; @@ -1030,6 +1033,7 @@ int mga_dma_iload( struct inode *inode, struct file *filp, return -EBUSY; } #endif + if(iload.idx < 0 || iload.idx > dma->buf_count) return -EINVAL; buf = dma->buflist[iload.idx]; buf_priv = buf->dev_private; |