Skip to content

Commit e501771

Browse files
Dan Carpenterbzolnier
Dan Carpenter
authored and
bzolnier
committed
fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper()
The "index + count" addition can overflow. Both come directly from the user. This bug leads to an information leak. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: Peter Malone <peter.malone@gmail.com> Cc: Philippe Ombredanne <pombredanne@nexb.com> Cc: Mathieu Malaterre <malat@debian.org> Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
1 parent d8bad91 commit e501771

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

drivers/video/fbdev/sbuslib.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -171,7 +171,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg,
171171
get_user(ublue, &c->blue))
172172
return -EFAULT;
173173

174-
if (index + count > cmap->len)
174+
if (index > cmap->len || count > cmap->len - index)
175175
return -EINVAL;
176176

177177
for (i = 0; i < count; i++) {

0 commit comments

Comments
 (0)