diff options
author | rwatson <rwatson@FreeBSD.org> | 2004-02-23 03:18:18 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2004-02-23 03:18:18 +0000 |
commit | 2894d141c0b97e5460d0f8c37c7bb36781e135a4 (patch) | |
tree | 8cb8a28adf588316570e396fa35665bc65ce1b06 | |
parent | 4851a07e575db73e1ee8d8d3aa0bb7e73484f68b (diff) | |
download | FreeBSD-src-2894d141c0b97e5460d0f8c37c7bb36781e135a4.zip FreeBSD-src-2894d141c0b97e5460d0f8c37c7bb36781e135a4.tar.gz |
Limit the amount of memory userspace processes can cause the kernel to
allocate via DRI on r128 devices.
Obtained from: Thomas Biege <thomas@suse.de>
Reviewed by: scottl
-rw-r--r-- | sys/dev/drm/r128_state.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/sys/dev/drm/r128_state.c b/sys/dev/drm/r128_state.c index 9481d3c..5a97ac0 100644 --- a/sys/dev/drm/r128_state.c +++ b/sys/dev/drm/r128_state.c @@ -917,6 +917,9 @@ static int r128_cce_dispatch_write_span( drm_device_t *dev, DRM_DEBUG( "\n" ); count = depth->n; + if ( count > 4096 || count <= 0 ) { + return DRM_ERR(EMSGSIZE); + } if ( DRM_COPY_FROM_USER( &x, depth->x, sizeof(x) ) ) { return DRM_ERR(EFAULT); } @@ -1010,9 +1013,16 @@ static int r128_cce_dispatch_write_pixels( drm_device_t *dev, DRM_DEBUG( "\n" ); count = depth->n; + if ( count > 4096 || count <= 0 ) { + return DRM_ERR(EMSGSIZE); + } xbuf_size = count * sizeof(*x); ybuf_size = count * sizeof(*y); + if ( xbuf_size <= 0 || ybuf_size <= 0 ) { + return DRM_ERR(EMSGSIZE); + } + x = DRM_MALLOC( xbuf_size ); if ( x == NULL ) { return DRM_ERR(ENOMEM); @@ -1127,6 +1137,10 @@ static int r128_cce_dispatch_read_span( drm_device_t *dev, DRM_DEBUG( "\n" ); count = depth->n; + + if ( count > 4096 || count <= 0 ) { + return DRM_ERR(EMSGSIZE); + } if ( DRM_COPY_FROM_USER( &x, depth->x, sizeof(x) ) ) { return DRM_ERR(EFAULT); } @@ -1175,6 +1189,9 @@ static int r128_cce_dispatch_read_pixels( drm_device_t *dev, xbuf_size = count * sizeof(*x); ybuf_size = count * sizeof(*y); + if ( xbuf_size <= 0 || ybuf_size <= 0 ) { + return DRM_ERR(EMSGSIZE); + } x = DRM_MALLOC( xbuf_size ); if ( x == NULL ) { return DRM_ERR(ENOMEM); |