aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Vesely2017-09-01 13:49:19 -0500
committerJan Vesely2017-09-04 22:48:54 -0500
commitd55d0804f9e37637d7510f38f97e07a50c6b7baa (patch)
tree7526b9ed8eb74abc7e17794233497d83ff317816 /amdgpu/amdgpu_asic_id.c
parent05a830d382382905d87b55af90aa109fb76e4c16 (diff)
downloadexternal-libgbm-d55d0804f9e37637d7510f38f97e07a50c6b7baa.tar.gz
external-libgbm-d55d0804f9e37637d7510f38f97e07a50c6b7baa.tar.xz
external-libgbm-d55d0804f9e37637d7510f38f97e07a50c6b7baa.zip
amdgpu: Do not write beyond allocated memory when parsing ids
Fixes crash when/usr/share/libdrm/amdgpu.ids contains ASIC_ID_TABLE_NUM_ENTRIES + 1 entries. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=102432 Fixes: 7e6bf88cac315a9fa41818cf72a7b5d18a2cb1fc (amdgpu: move asic id table to a separate file) Signed-off-by: Jan Vesely <jan.vesely@rutgers.edu> Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Diffstat (limited to 'amdgpu/amdgpu_asic_id.c')
-rw-r--r--amdgpu/amdgpu_asic_id.c15
1 files changed, 8 insertions, 7 deletions
diff --git a/amdgpu/amdgpu_asic_id.c b/amdgpu/amdgpu_asic_id.c
index 3a88896b..e8218974 100644
--- a/amdgpu/amdgpu_asic_id.c
+++ b/amdgpu/amdgpu_asic_id.c
@@ -186,19 +186,20 @@ int amdgpu_parse_asic_ids(struct amdgpu_asic_id **p_asic_id_table)
186 table_size++; 186 table_size++;
187 } 187 }
188 188
189 /* end of table */
190 id = asic_id_table + table_size;
191 memset(id, 0, sizeof(struct amdgpu_asic_id));
192
193 if (table_size != table_max_size) { 189 if (table_size != table_max_size) {
194 id = realloc(asic_id_table, (table_size + 1) * 190 id = realloc(asic_id_table, (table_size + 1) *
195 sizeof(struct amdgpu_asic_id)); 191 sizeof(struct amdgpu_asic_id));
196 if (!id) 192 if (!id) {
197 r = -ENOMEM; 193 r = -ENOMEM;
198 else 194 goto free;
199 asic_id_table = id; 195 }
196 asic_id_table = id;
200 } 197 }
201 198
199 /* end of table */
200 id = asic_id_table + table_size;
201 memset(id, 0, sizeof(struct amdgpu_asic_id));
202
202free: 203free:
203 free(line); 204 free(line);
204 205