diff --git a/linux-core/drm_bufs.c b/linux-core/drm_bufs.c index 16af7bd5..02502321 100644 --- a/linux-core/drm_bufs.c +++ b/linux-core/drm_bufs.c @@ -332,6 +332,12 @@ int DRM(addbufs_agp)( struct inode *inode, struct file *filp, return -ENOMEM; /* May only call once for each order */ } + if (count < 0 || count > 4096) { + up( &dev->struct_sem ); + atomic_dec( &dev->buf_alloc ); + return -EINVAL; + } + entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist), DRM_MEM_BUFS ); if ( !entry->buflist ) { @@ -479,6 +485,12 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp, return -ENOMEM; /* May only call once for each order */ } + if (count < 0 || count > 4096) { + up( &dev->struct_sem ); + atomic_dec( &dev->buf_alloc ); + return -EINVAL; + } + entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist), DRM_MEM_BUFS ); if ( !entry->buflist ) { @@ -581,6 +593,7 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp, atomic_dec( &dev->buf_alloc ); return 0; + } #endif /* __HAVE_PCI_DMA */ @@ -650,6 +663,12 @@ int DRM(addbufs_sg)( struct inode *inode, struct file *filp, return -ENOMEM; /* May only call once for each order */ } + if (count < 0 || count > 4096) { + up( &dev->struct_sem ); + atomic_dec( &dev->buf_alloc ); + return -EINVAL; + } + entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist), DRM_MEM_BUFS ); if ( !entry->buflist ) { diff --git a/linux-core/drm_ioctl.c b/linux-core/drm_ioctl.c index 1cc8f31f..c2761808 100644 --- a/linux-core/drm_ioctl.c +++ b/linux-core/drm_ioctl.c @@ -82,7 +82,7 @@ int DRM(setunique)(struct inode *inode, struct file *filp, if (copy_from_user(&u, (drm_unique_t *)arg, sizeof(u))) return -EFAULT; - if (!u.unique_len) + if (!u.unique_len || u.unique_len > 1024) return -EINVAL; dev->unique_len = u.unique_len; diff --git a/linux/drm_bufs.h b/linux/drm_bufs.h index 16af7bd5..02502321 100644 --- a/linux/drm_bufs.h +++ b/linux/drm_bufs.h @@ -332,6 +332,12 @@ int DRM(addbufs_agp)( struct inode *inode, struct file *filp, return -ENOMEM; /* May only call once for each order */ } + if (count < 0 || count > 4096) { + up( &dev->struct_sem ); + atomic_dec( &dev->buf_alloc ); + return -EINVAL; + } + entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist), DRM_MEM_BUFS ); if ( !entry->buflist ) { @@ -479,6 +485,12 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp, return -ENOMEM; /* May only call once for each order */ } + if (count < 0 || count > 4096) { + up( &dev->struct_sem ); + atomic_dec( &dev->buf_alloc ); + return -EINVAL; + } + entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist), DRM_MEM_BUFS ); if ( !entry->buflist ) { @@ -581,6 +593,7 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp, atomic_dec( &dev->buf_alloc ); return 0; + } #endif /* __HAVE_PCI_DMA */ @@ -650,6 +663,12 @@ int DRM(addbufs_sg)( struct inode *inode, struct file *filp, return -ENOMEM; /* May only call once for each order */ } + if (count < 0 || count > 4096) { + up( &dev->struct_sem ); + atomic_dec( &dev->buf_alloc ); + return -EINVAL; + } + entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist), DRM_MEM_BUFS ); if ( !entry->buflist ) { diff --git a/linux/drm_ioctl.h b/linux/drm_ioctl.h index 1cc8f31f..c2761808 100644 --- a/linux/drm_ioctl.h +++ b/linux/drm_ioctl.h @@ -82,7 +82,7 @@ int DRM(setunique)(struct inode *inode, struct file *filp, if (copy_from_user(&u, (drm_unique_t *)arg, sizeof(u))) return -EFAULT; - if (!u.unique_len) + if (!u.unique_len || u.unique_len > 1024) return -EINVAL; dev->unique_len = u.unique_len;