From 7d6a1759900ffde0a7aac2fa0cbd7c2bf4989476 Mon Sep 17 00:00:00 2001
From: Alistair Delva <adelva@google.com>
Date: Tue, 2 Mar 2021 08:18:06 -0800
Subject: [PATCH] xf86drm: fix null pointer deref in drmGetBufInfo

If info.count is large, drmMalloc() / alloca() may fail, and the
resulting null pointer is not null checked before dereference.

Issue: https://gitlab.freedesktop.org/mesa/drm/-/issues/62

Reviewed-by: Simon Ser <contact@emersion.fr>
Signed-off-by: Alistair Delva <adelva@google.com>
---
 xf86drm.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/xf86drm.c b/xf86drm.c
index 0185e985..edfeb347 100644
--- a/xf86drm.c
+++ b/xf86drm.c
@@ -1351,7 +1351,12 @@ drm_public drmBufInfoPtr drmGetBufInfo(int fd)
 
         retval = drmMalloc(sizeof(*retval));
         retval->count = info.count;
-        retval->list  = drmMalloc(info.count * sizeof(*retval->list));
+        if (!(retval->list = drmMalloc(info.count * sizeof(*retval->list)))) {
+                drmFree(retval);
+                drmFree(info.list);
+                return NULL;
+        }
+
         for (i = 0; i < info.count; i++) {
             retval->list[i].count     = info.list[i].count;
             retval->list[i].size      = info.list[i].size;