diff options
| author | Xi Wang <[email protected]> | 2012-04-23 04:06:42 -0400 |
|---|---|---|
| committer | Daniel Vetter <[email protected]> | 2012-04-23 22:32:15 +0200 |
| commit | 44afb3a04391a74309d16180d1e4f8386fdfa745 (patch) | |
| tree | feec2dbbdc8a76932bd10289a3532a4b29c6ef6a /lib/mpi/mpi-inline.c | |
| parent | ed8cd3b2cd61004cab85380c52b1817aca1ca49b (diff) | |
drm/i915: fix integer overflow in i915_gem_do_execbuffer()
On 32-bit systems, a large args->num_cliprects from userspace via ioctl
may overflow the allocation size, leading to out-of-bounds access.
This vulnerability was introduced in commit 432e58ed ("drm/i915: Avoid
allocation for execbuffer object list").
Signed-off-by: Xi Wang <[email protected]>
Reviewed-by: Chris Wilson <[email protected]>
Cc: [email protected]
Signed-off-by: Daniel Vetter <[email protected]>
Diffstat (limited to 'lib/mpi/mpi-inline.c')
0 files changed, 0 insertions, 0 deletions