diff mbox

drm: check for NULL parameter in exported drm_get_format_name() function.

Message ID 20161122164106.31852-1-Liviu.Dudau@arm.com
State New
Headers show

Commit Message

Liviu Dudau Nov. 22, 2016, 4:41 p.m. UTC 
drm_get_format_name() de-references the buf parameter without checking
if the pointer was not NULL. Given that the function is EXPORT-ed, lets
sanitise the parameters before proceeding.

Fixes: b3c11ac267d461d3d5 ("drm: move allocation out of drm_get_format_name())
Cc: Eric Engestrom <eric@engestrom.ch>
Cc: Rob Clark <robdclark@gmail.com>
Cc: Jani Nikula <jani.nikula@intel.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>

Signed-off-by: Liviu Dudau <Liviu.Dudau@arm.com>

---
 drivers/gpu/drm/drm_fourcc.c | 3 +++
 1 file changed, 3 insertions(+)

-- 
2.10.2

Comments

Ville Syrjala Nov. 22, 2016, 5:31 p.m. UTC | #1 
On Tue, Nov 22, 2016 at 12:23:59PM -0500, Rob Clark wrote:
> On Tue, Nov 22, 2016 at 11:50 AM, Ville Syrjälä

> <ville.syrjala@linux.intel.com> wrote:

> > On Tue, Nov 22, 2016 at 04:41:06PM +0000, Liviu Dudau wrote:

> >> drm_get_format_name() de-references the buf parameter without checking

> >> if the pointer was not NULL. Given that the function is EXPORT-ed, lets

> >> sanitise the parameters before proceeding.

> >>

> >> Fixes: b3c11ac267d461d3d5 ("drm: move allocation out of drm_get_format_name())

> >> Cc: Eric Engestrom <eric@engestrom.ch>

> >> Cc: Rob Clark <robdclark@gmail.com>

> >> Cc: Jani Nikula <jani.nikula@intel.com>

> >> Cc: Daniel Vetter <daniel.vetter@ffwll.ch>

> >>

> >> Signed-off-by: Liviu Dudau <Liviu.Dudau@arm.com>

> >> ---

> >>  drivers/gpu/drm/drm_fourcc.c | 3 +++

> >>  1 file changed, 3 insertions(+)

> >>

> >> diff --git a/drivers/gpu/drm/drm_fourcc.c b/drivers/gpu/drm/drm_fourcc.c

> >> index 90d2cc8..0a3ff0b 100644

> >> --- a/drivers/gpu/drm/drm_fourcc.c

> >> +++ b/drivers/gpu/drm/drm_fourcc.c

> >> @@ -85,6 +85,9 @@ EXPORT_SYMBOL(drm_mode_legacy_fb_format);

> >>   */

> >>  const char *drm_get_format_name(uint32_t format, struct drm_format_name_buf *buf)

> >>  {

> >> +     if (!buf)

> >> +             return NULL;

> >> +

> >

> > Seems rather pointless to me. Why would you ever pass NULL to this guy?

> 

> perhaps BUG_ON(!buf)...


And how does that differ from just buf->foo?

> 

> BR,

> -R

> 

> >>       snprintf(buf->str, sizeof(buf->str),

> >>                "%c%c%c%c %s-endian (0x%08x)",

> >>                printable_char(format & 0xff),

> >> --

> >> 2.10.2

> >>

> >> _______________________________________________

> >> dri-devel mailing list

> >> dri-devel@lists.freedesktop.org

> >> https://lists.freedesktop.org/mailman/listinfo/dri-devel

> >

> > --

> > Ville Syrjälä

> > Intel OTC

> > _______________________________________________

> > dri-devel mailing list

> > dri-devel@lists.freedesktop.org

> > https://lists.freedesktop.org/mailman/listinfo/dri-devel


-- 
Ville Syrjälä
Intel OTC
diff mbox

Patch

diff --git a/drivers/gpu/drm/drm_fourcc.c b/drivers/gpu/drm/drm_fourcc.c
index 90d2cc8..0a3ff0b 100644
--- a/drivers/gpu/drm/drm_fourcc.c
+++ b/drivers/gpu/drm/drm_fourcc.c
@@ -85,6 +85,9 @@  EXPORT_SYMBOL(drm_mode_legacy_fb_format);
  */
 const char *drm_get_format_name(uint32_t format, struct drm_format_name_buf *buf)
 {
+	if (!buf)
+		return NULL;
+
 	snprintf(buf->str, sizeof(buf->str),
 		 "%c%c%c%c %s-endian (0x%08x)",
 		 printable_char(format & 0xff),