[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1249325933-3721-1-git-send-email-FlorianSchandinat@gmx.de>
Date: Mon, 3 Aug 2009 18:58:53 +0000
From: Florian Tobias Schandinat <FlorianSchandinat@....de>
To: linux-fbdev-devel@...ts.sourceforge.net, akpm@...ux-foundation.org,
b18973@...escale.com
Cc: linux-kernel@...r.kernel.org,
Florian Tobias Schandinat <FlorianSchandinat@....de>
Subject: [PATCH] fb: fix fb_pan_display range check
fb: fix fb_pan_display range check
This patch fixes the range check for panning. The current code fails to detect
some invalid values (very high ones that can occur if an app tries to move
further up/left than 0,0) as the check uses the unknown values for calculation
so that an overflow can occur. To fix this it is sufficient to move the
calculation to the right side to use only trusted values.
Kai Jiang detected this problem and proposed an initial patch.
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@....de>
---
drivers/video/fbmem.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/video/fbmem.c b/drivers/video/fbmem.c
index a85c818..346f257 100644
--- a/drivers/video/fbmem.c
+++ b/drivers/video/fbmem.c
@@ -871,8 +871,8 @@ fb_pan_display(struct fb_info *info, struct fb_var_screeninfo *var)
err = -EINVAL;
if (err || !info->fbops->fb_pan_display ||
- var->yoffset + yres > info->var.yres_virtual ||
- var->xoffset + info->var.xres > info->var.xres_virtual)
+ var->yoffset > info->var.yres_virtual - yres ||
+ var->xoffset > info->var.xres_virtual - info->var.xres)
return -EINVAL;
if ((err = info->fbops->fb_pan_display(var, info)))
--
1.6.3.2
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists