From: Jan Vesely <jan.vesely@rutgers.edu>
Date: Fri, 1 Sep 2017 18:49:19 +0000 (-0400)
Subject: amdgpu: Do not write beyond allocated memory when parsing ids
X-Git-Tag: libdrm-2.4.84~17
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=d55d0804f9e37637d7510f38f97e07a50c6b7baa;p=platform%2Fupstream%2Flibdrm.git

amdgpu: Do not write beyond allocated memory when parsing ids

Fixes crash when/usr/share/libdrm/amdgpu.ids contains ASIC_ID_TABLE_NUM_ENTRIES + 1 entries.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=102432
Fixes: 7e6bf88cac315a9fa41818cf72a7b5d18a2cb1fc (amdgpu: move asic id table to a separate file)
Signed-off-by: Jan Vesely <jan.vesely@rutgers.edu>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
---

diff --git a/amdgpu/amdgpu_asic_id.c b/amdgpu/amdgpu_asic_id.c
index 3a88896..e821897 100644
--- a/amdgpu/amdgpu_asic_id.c
+++ b/amdgpu/amdgpu_asic_id.c
@@ -186,19 +186,20 @@ int amdgpu_parse_asic_ids(struct amdgpu_asic_id **p_asic_id_table)
 		table_size++;
 	}
 
-	/* end of table */
-	id = asic_id_table + table_size;
-	memset(id, 0, sizeof(struct amdgpu_asic_id));
-
 	if (table_size != table_max_size) {
 		id = realloc(asic_id_table, (table_size + 1) *
 			     sizeof(struct amdgpu_asic_id));
-		if (!id)
+		if (!id) {
 			r = -ENOMEM;
-		else
-			asic_id_table = id;
+			goto free;
+		}
+		asic_id_table = id;
         }
 
+	/* end of table */
+	id = asic_id_table + table_size;
+	memset(id, 0, sizeof(struct amdgpu_asic_id));
+
 free:
 	free(line);