I think this is about the minimal fix needed. I'm not entirely happy
with the limits picked, especially for spans, but maybe someone with
an R128 can verify it is ok, or change the code to loop each chunk
of pixels/span data.
I've not yet looked at the new SiS allocator problems in detail. The
6326 really wants a different allocator anyway.
Alan
--- drivers/char/drm/r128_state.c~ 2004-01-14 13:42:38.000000000 +0000
+++ drivers/char/drm/r128_state.c 2004-01-14 13:46:27.000000000 +0000
@@ -23,8 +23,20 @@
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * RED HAT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * THIS SOFTWARE IS NOT INTENDED FOR USE IN SAFETY CRITICAL SYSTEMS
+ *
* Authors:
* Gareth Hughes <[EMAIL PROTECTED]>
+ *
+ * Memory allocation size checks added 14/01/2003, Alan Cox <[EMAIL PROTECTED]>
*/
#include "r128.h"
@@ -901,6 +913,9 @@
DRM_DEBUG( "%s\n", __FUNCTION__ );
count = depth->n;
+
+ if( count > 4096 )
+ return -EMSGSIZE;
if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
return -EFAULT;
}
@@ -994,6 +1009,9 @@
DRM_DEBUG( "%s\n", __FUNCTION__ );
count = depth->n;
+
+ if( count > 4096 )
+ return -EMSGSIZE;
x = kmalloc( count * sizeof(*x), GFP_KERNEL );
if ( x == NULL ) {
@@ -1109,6 +1127,9 @@
DRM_DEBUG( "%s\n", __FUNCTION__ );
count = depth->n;
+
+ if ( count > 4096 )
+ return -EMSGSIZE;
if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
return -EFAULT;
}
