| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <16d488639e99f43ca3977ee7b8f76fc26c34aa86.1692888745.git.geert@linux-m68k.org>
Date: Thu, 24 Aug 2023 17:08:39 +0200
From: Geert Uytterhoeven <geert@...ux-m68k.org>
To: Javier Martinez Canillas <javierm@...hat.com>,
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
Maxime Ripard <mripard@...nel.org>,
Thomas Zimmermann <tzimmermann@...e.de>,
David Airlie <airlied@...il.com>,
Daniel Vetter <daniel@...ll.ch>
Cc: dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
Geert Uytterhoeven <geert@...ux-m68k.org>
Subject: [PATCH v2 1/8] drm/dumb-buffers: Fix drm_mode_create_dumb() for bpp < 8
drm_mode_create_dumb() calculates the number of characters per pixel
from the number of bits per pixel by rounding up, which is not correct
as the actual value of cpp may be non-integer. While we do not need to
care here about complex formats like YUV, bpp < 8 is a valid use case.
- The overflow check for the buffer width is not correct if bpp < 8.
However, it doesn't hurt, as widths larger than U32_MAX / 8 should
not happen for real anyway. Add a comment to clarify.
- Calculating the stride from the number of characters per pixel is
not correct. Fix this by calculating it from the number of bits per
pixel instead.
Signed-off-by: Geert Uytterhoeven <geert@...ux-m68k.org>
Reviewed-by: Javier Martinez Canillas <javierm@...hat.com>
Tested-by: Javier Martinez Canillas <javierm@...hat.com>
---
v2:
- Add Reviewed-by, Tested-by.
---
drivers/gpu/drm/drm_dumb_buffers.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_dumb_buffers.c b/drivers/gpu/drm/drm_dumb_buffers.c
index 70032bba1c97e787..21a04c32a5e3d785 100644
--- a/drivers/gpu/drm/drm_dumb_buffers.c
+++ b/drivers/gpu/drm/drm_dumb_buffers.c
@@ -71,10 +71,11 @@ int drm_mode_create_dumb(struct drm_device *dev,
/* overflow checks for 32bit size calculations */
if (args->bpp > U32_MAX - 8)
return -EINVAL;
+ /* Incorrect (especially if bpp < 8), but doesn't hurt much */
cpp = DIV_ROUND_UP(args->bpp, 8);
if (cpp > U32_MAX / args->width)
return -EINVAL;
- stride = cpp * args->width;
+ stride = DIV_ROUND_UP(args->bpp * args->width, 8);
if (args->height > U32_MAX / stride)
return -EINVAL;
--
2.34.1
Powered by blists - more mailing lists