From: Florian Tobias Schandinat Date: Tue, 22 Sep 2009 23:47:41 +0000 (-0700) Subject: fb: fix fb_pan_display range check X-Git-Tag: v2.6.32-rc1~196 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=99e9e7d62becd6c7413a9e8fbda7f5b66adb5cbf;p=platform%2Fkernel%2Flinux-stable.git fb: fix fb_pan_display range check Fix the range check for panning. The current code fails to detect some invalid values (very high ones that can occur if an app tries to move further up/left than 0,0) as the check uses the unknown values for calculation so that an overflow can occur. To fix this it is sufficient to move the calculation to the right side to use only trusted values. Kai Jiang detected this problem and proposed an initial patch. Signed-off-by: Florian Tobias Schandinat Cc: Kai Jiang Cc: Krzysztof Helt Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/drivers/video/fbmem.c b/drivers/video/fbmem.c index a85c818..346f257 100644 --- a/drivers/video/fbmem.c +++ b/drivers/video/fbmem.c @@ -871,8 +871,8 @@ fb_pan_display(struct fb_info *info, struct fb_var_screeninfo *var) err = -EINVAL; if (err || !info->fbops->fb_pan_display || - var->yoffset + yres > info->var.yres_virtual || - var->xoffset + info->var.xres > info->var.xres_virtual) + var->yoffset > info->var.yres_virtual - yres || + var->xoffset > info->var.xres_virtual - info->var.xres) return -EINVAL; if ((err = info->fbops->fb_pan_display(var, info)))