summaryrefslogtreecommitdiff
path: root/linux
diff options
context:
space:
mode:
authorJeff Hartmann <jhartmann@valinux.com>2001-06-18 19:25:15 +0000
committerJeff Hartmann <jhartmann@valinux.com>2001-06-18 19:25:15 +0000
commit12e9c636dfb4fbaf229e884afa8febaecd79b475 (patch)
treeceb34c08a329bf1f7f973708a6b31a9ae5b3b1cc /linux
parentb1a588f0cc9cd7b4f5b2150f03722ac09b7e8989 (diff)
Fix 5 security bugs found by the Stanford tools
Diffstat (limited to 'linux')
-rw-r--r--linux/i810_dma.c4
-rw-r--r--linux/mga_state.c4
2 files changed, 7 insertions, 1 deletions
diff --git a/linux/i810_dma.c b/linux/i810_dma.c
index 25caca6b..8abf80ad 100644
--- a/linux/i810_dma.c
+++ b/linux/i810_dma.c
@@ -1094,6 +1094,8 @@ int i810_dma_vertex(struct inode *inode, struct file *filp,
DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
vertex.idx, vertex.used, vertex.discard);
+ if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL;
+
i810_dma_dispatch_vertex( dev,
dma->buflist[ vertex.idx ],
vertex.discard, vertex.used );
@@ -1222,7 +1224,7 @@ int i810_copybuf(struct inode *inode, struct file *filp, unsigned int cmd,
if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d)))
return -EFAULT;
- if(d.idx > dma->buf_count) return -EINVAL;
+ if(d.idx < 0 || d.idx > dma->buf_count) return -EINVAL;
buf = dma->buflist[ d.idx ];
buf_priv = buf->dev_private;
if (buf_priv->currently_mapped != I810_BUF_MAPPED) return -EPERM;
diff --git a/linux/mga_state.c b/linux/mga_state.c
index 99778c58..41b2e9a1 100644
--- a/linux/mga_state.c
+++ b/linux/mga_state.c
@@ -943,6 +943,7 @@ int mga_dma_vertex( struct inode *inode, struct file *filp,
sizeof(vertex) ) )
return -EFAULT;
+ if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL;
buf = dma->buflist[vertex.idx];
buf_priv = buf->dev_private;
@@ -984,6 +985,8 @@ int mga_dma_indices( struct inode *inode, struct file *filp,
sizeof(indices) ) )
return -EFAULT;
+ if(indices.idx < 0 || indices.idx > dma->buf_count) return -EINVAL;
+
buf = dma->buflist[indices.idx];
buf_priv = buf->dev_private;
@@ -1030,6 +1033,7 @@ int mga_dma_iload( struct inode *inode, struct file *filp,
return -EBUSY;
}
#endif
+ if(iload.idx < 0 || iload.idx > dma->buf_count) return -EINVAL;
buf = dma->buflist[iload.idx];
buf_priv = buf->dev_private;