Merge checker fixes from Alan Cox made to the drm in the ac kernel tree.

These aren't really security problems, but Alan has made some arguments that have convinced me that the code should be fixed anyway.
author: Jeff Hartmann <jhartmann@valinux.com> 2001-07-20 22:16:04 +0000
committer: Jeff Hartmann <jhartmann@valinux.com> 2001-07-20 22:16:04 +0000
commit: 5e8ba79eb6aabd85f52de43fcf30722268857f60 (patch)
tree: eb78245049182c1d482391b0d043ad9f8cd79524
parent: ae5b4effc05cd5ac44ab44c5c733c6599652f1eb (diff)
4 files changed, 40 insertions, 2 deletions
diff --git a/linux-core/drm_bufs.c b/linux-core/drm_bufs.c
index 16af7bd5..02502321 100644
--- a/linux-core/drm_bufs.c
+++ b/linux-core/drm_bufs.c
@@ -332,6 +332,12 @@ int DRM(addbufs_agp)( struct inode *inode, struct file *filp,
 		return -ENOMEM; /* May only call once for each order */
 	}
 
+	if (count < 0 || count > 4096) {
+		up( &dev->struct_sem );
+		atomic_dec( &dev->buf_alloc );
+		return -EINVAL;
+	}
+
 	entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
 				    DRM_MEM_BUFS );
 	if ( !entry->buflist ) {
@@ -479,6 +485,12 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp,
 		return -ENOMEM;	/* May only call once for each order */
 	}
 
+	if (count < 0 || count > 4096) {
+		up( &dev->struct_sem );
+		atomic_dec( &dev->buf_alloc );
+		return -EINVAL;
+	}
+
 	entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
 				    DRM_MEM_BUFS );
 	if ( !entry->buflist ) {
@@ -581,6 +593,7 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp,
 
 	atomic_dec( &dev->buf_alloc );
 	return 0;
+
 }
 #endif /* __HAVE_PCI_DMA */
 
@@ -650,6 +663,12 @@ int DRM(addbufs_sg)( struct inode *inode, struct file *filp,
                return -ENOMEM; /* May only call once for each order */
        }
 
+	if (count < 0 || count > 4096) {
+		up( &dev->struct_sem );
+		atomic_dec( &dev->buf_alloc );
+		return -EINVAL;
+	}
+
        entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
                                    DRM_MEM_BUFS );
        if ( !entry->buflist ) {
diff --git a/linux-core/drm_ioctl.c b/linux-core/drm_ioctl.c
index 1cc8f31f..c2761808 100644
--- a/linux-core/drm_ioctl.c
+++ b/linux-core/drm_ioctl.c
@@ -82,7 +82,7 @@ int DRM(setunique)(struct inode *inode, struct file *filp,
 	if (copy_from_user(&u, (drm_unique_t *)arg, sizeof(u)))
 		return -EFAULT;
 
-	if (!u.unique_len)
+	if (!u.unique_len || u.unique_len > 1024)
 		return -EINVAL;
 
 	dev->unique_len = u.unique_len;
diff --git a/linux/drm_bufs.h b/linux/drm_bufs.h
index 16af7bd5..02502321 100644
--- a/linux/drm_bufs.h
+++ b/linux/drm_bufs.h
@@ -332,6 +332,12 @@ int DRM(addbufs_agp)( struct inode *inode, struct file *filp,
 		return -ENOMEM; /* May only call once for each order */
 	}
 
+	if (count < 0 || count > 4096) {
+		up( &dev->struct_sem );
+		atomic_dec( &dev->buf_alloc );
+		return -EINVAL;
+	}
+
 	entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
 				    DRM_MEM_BUFS );
 	if ( !entry->buflist ) {
@@ -479,6 +485,12 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp,
 		return -ENOMEM;	/* May only call once for each order */
 	}
 
+	if (count < 0 || count > 4096) {
+		up( &dev->struct_sem );
+		atomic_dec( &dev->buf_alloc );
+		return -EINVAL;
+	}
+
 	entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
 				    DRM_MEM_BUFS );
 	if ( !entry->buflist ) {
@@ -581,6 +593,7 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp,
 
 	atomic_dec( &dev->buf_alloc );
 	return 0;
+
 }
 #endif /* __HAVE_PCI_DMA */
 
@@ -650,6 +663,12 @@ int DRM(addbufs_sg)( struct inode *inode, struct file *filp,
                return -ENOMEM; /* May only call once for each order */
        }
 
+	if (count < 0 || count > 4096) {
+		up( &dev->struct_sem );
+		atomic_dec( &dev->buf_alloc );
+		return -EINVAL;
+	}
+
        entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
                                    DRM_MEM_BUFS );
        if ( !entry->buflist ) {
diff --git a/linux/drm_ioctl.h b/linux/drm_ioctl.h
index 1cc8f31f..c2761808 100644
--- a/linux/drm_ioctl.h
+++ b/linux/drm_ioctl.h
@@ -82,7 +82,7 @@ int DRM(setunique)(struct inode *inode, struct file *filp,
 	if (copy_from_user(&u, (drm_unique_t *)arg, sizeof(u)))
 		return -EFAULT;
 
-	if (!u.unique_len)
+	if (!u.unique_len || u.unique_len > 1024)
 		return -EINVAL;
 
 	dev->unique_len = u.unique_len;
author	Jeff Hartmann <jhartmann@valinux.com>	2001-07-20 22:16:04 +0000
committer	Jeff Hartmann <jhartmann@valinux.com>	2001-07-20 22:16:04 +0000
commit	5e8ba79eb6aabd85f52de43fcf30722268857f60 (patch)
tree	eb78245049182c1d482391b0d043ad9f8cd79524
parent	ae5b4effc05cd5ac44ab44c5c733c6599652f1eb (diff)