amdgpu: Do not write beyond allocated memory when parsing ids

Fixes crash when/usr/share/libdrm/amdgpu.ids contains ASIC_ID_TABLE_NUM_ENTRIES + 1 entries.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=102432
Fixes: 7e6bf88cac315a9fa41818cf72a7b5d18a2cb1fc (amdgpu: move asic id table to a separate file)
Signed-off-by: Jan Vesely <jan.vesely@rutgers.edu>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>

diff --git a/amdgpu/amdgpu_asic_id.c b/amdgpu/amdgpu_asic_id.c
index 3a88896..e821897 100644 (file)
--- a/amdgpu/amdgpu_asic_id.c
+++ b/amdgpu/amdgpu_asic_id.c
@@ -186,19 +186,20 @@ int amdgpu_parse_asic_ids(struct amdgpu_asic_id **p_asic_id_table)
                table_size++;
        }
 
-       /* end of table */
-       id = asic_id_table + table_size;
-       memset(id, 0, sizeof(struct amdgpu_asic_id));
-
        if (table_size != table_max_size) {
                id = realloc(asic_id_table, (table_size + 1) *
                             sizeof(struct amdgpu_asic_id));
-               if (!id)
+               if (!id) {
                        r = -ENOMEM;
-               else
-                       asic_id_table = id;
+                       goto free;
+               }
+               asic_id_table = id;
         }
 
+       /* end of table */
+       id = asic_id_table + table_size;
+       memset(id, 0, sizeof(struct amdgpu_asic_id));
+
 free:
        free(line);