From d55d0804f9e37637d7510f38f97e07a50c6b7baa Mon Sep 17 00:00:00 2001 From: Jan Vesely Date: Fri, 1 Sep 2017 14:49:19 -0400 Subject: [PATCH] amdgpu: Do not write beyond allocated memory when parsing ids MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Fixes crash when/usr/share/libdrm/amdgpu.ids contains ASIC_ID_TABLE_NUM_ENTRIES + 1 entries. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=102432 Fixes: 7e6bf88cac315a9fa41818cf72a7b5d18a2cb1fc (amdgpu: move asic id table to a separate file) Signed-off-by: Jan Vesely Reviewed-by: Michel Dänzer --- amdgpu/amdgpu_asic_id.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/amdgpu/amdgpu_asic_id.c b/amdgpu/amdgpu_asic_id.c index 3a88896..e821897 100644 --- a/amdgpu/amdgpu_asic_id.c +++ b/amdgpu/amdgpu_asic_id.c @@ -186,19 +186,20 @@ int amdgpu_parse_asic_ids(struct amdgpu_asic_id **p_asic_id_table) table_size++; } - /* end of table */ - id = asic_id_table + table_size; - memset(id, 0, sizeof(struct amdgpu_asic_id)); - if (table_size != table_max_size) { id = realloc(asic_id_table, (table_size + 1) * sizeof(struct amdgpu_asic_id)); - if (!id) + if (!id) { r = -ENOMEM; - else - asic_id_table = id; + goto free; + } + asic_id_table = id; } + /* end of table */ + id = asic_id_table + table_size; + memset(id, 0, sizeof(struct amdgpu_asic_id)); + free: free(line); -- 2.7.4