xf86drm: fix null pointer deref in drmGetBufInfo
If info.count is large, drmMalloc() / alloca() may fail, and the resulting null pointer is not null checked before dereference. Issue: https://gitlab.freedesktop.org/mesa/drm/-/issues/62 Reviewed-by: Simon Ser <contact@emersion.fr> Signed-off-by: Alistair Delva <adelva@google.com>main
Alistair Delva
parent
2e67fef5f6
commit
7d6a175990
|
|
@ -1351,7 +1351,12 @@ drm_public drmBufInfoPtr drmGetBufInfo(int fd)
|
||||||
|
|
||||||
retval = drmMalloc(sizeof(*retval));
|
retval = drmMalloc(sizeof(*retval));
|
||||||
retval->count = info.count;
|
retval->count = info.count;
|
||||||
retval->list = drmMalloc(info.count * sizeof(*retval->list));
|
if (!(retval->list = drmMalloc(info.count * sizeof(*retval->list)))) {
|
||||||
|
drmFree(retval);
|
||||||
|
drmFree(info.list);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
for (i = 0; i < info.count; i++) {
|
for (i = 0; i < info.count; i++) {
|
||||||
retval->list[i].count = info.list[i].count;
|
retval->list[i].count = info.list[i].count;
|
||||||
retval->list[i].size = info.list[i].size;
|
retval->list[i].size = info.list[i].size;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue