summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--linux-core/i810_dma.c4
-rw-r--r--linux/i810_dma.c4
-rw-r--r--linux/mga_state.c4
3 files changed, 10 insertions, 2 deletions
diff --git a/linux-core/i810_dma.c b/linux-core/i810_dma.c
index 25caca6b..8abf80ad 100644
--- a/linux-core/i810_dma.c
+++ b/linux-core/i810_dma.c
@@ -1094,6 +1094,8 @@ int i810_dma_vertex(struct inode *inode, struct file *filp,
DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
vertex.idx, vertex.used, vertex.discard);
+ if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL;
+
i810_dma_dispatch_vertex( dev,
dma->buflist[ vertex.idx ],
vertex.discard, vertex.used );
@@ -1222,7 +1224,7 @@ int i810_copybuf(struct inode *inode, struct file *filp, unsigned int cmd,
if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d)))
return -EFAULT;
- if(d.idx > dma->buf_count) return -EINVAL;
+ if(d.idx < 0 || d.idx > dma->buf_count) return -EINVAL;
buf = dma->buflist[ d.idx ];
buf_priv = buf->dev_private;
if (buf_priv->currently_mapped != I810_BUF_MAPPED) return -EPERM;
diff --git a/linux/i810_dma.c b/linux/i810_dma.c
index 25caca6b..8abf80ad 100644
--- a/linux/i810_dma.c
+++ b/linux/i810_dma.c
@@ -1094,6 +1094,8 @@ int i810_dma_vertex(struct inode *inode, struct file *filp,
DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
vertex.idx, vertex.used, vertex.discard);
+ if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL;
+
i810_dma_dispatch_vertex( dev,
dma->buflist[ vertex.idx ],
vertex.discard, vertex.used );
@@ -1222,7 +1224,7 @@ int i810_copybuf(struct inode *inode, struct file *filp, unsigned int cmd,
if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d)))
return -EFAULT;
- if(d.idx > dma->buf_count) return -EINVAL;
+ if(d.idx < 0 || d.idx > dma->buf_count) return -EINVAL;
buf = dma->buflist[ d.idx ];
buf_priv = buf->dev_private;
if (buf_priv->currently_mapped != I810_BUF_MAPPED) return -EPERM;
diff --git a/linux/mga_state.c b/linux/mga_state.c
index 99778c58..41b2e9a1 100644
--- a/linux/mga_state.c
+++ b/linux/mga_state.c
@@ -943,6 +943,7 @@ int mga_dma_vertex( struct inode *inode, struct file *filp,
sizeof(vertex) ) )
return -EFAULT;
+ if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL;
buf = dma->buflist[vertex.idx];
buf_priv = buf->dev_private;
@@ -984,6 +985,8 @@ int mga_dma_indices( struct inode *inode, struct file *filp,
sizeof(indices) ) )
return -EFAULT;
+ if(indices.idx < 0 || indices.idx > dma->buf_count) return -EINVAL;
+
buf = dma->buflist[indices.idx];
buf_priv = buf->dev_private;
@@ -1030,6 +1033,7 @@ int mga_dma_iload( struct inode *inode, struct file *filp,
return -EBUSY;
}
#endif
+ if(iload.idx < 0 || iload.idx > dma->buf_count) return -EINVAL;
buf = dma->buflist[iload.idx];
buf_priv = buf->dev_private;
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-31 21:54:39 +0000