xf86drm: fix null pointer deref in drmGetBufInfo

If info.count is large, drmMalloc() / alloca() may fail, and the resulting null pointer is not null checked before dereference. Issue: https://gitlab.freedesktop.org/mesa/drm/-/issues/62 Reviewed-by: Simon Ser <contact@emersion.fr> Signed-off-by: Alistair Delva <adelva@google.com>
author: Alistair Delva <adelva@google.com> 2021-03-02 08:18:06 -0800
committer: Alistair Delva <adelva@google.com> 2021-03-02 08:29:27 -0800
commit: 7d6a1759900ffde0a7aac2fa0cbd7c2bf4989476 (patch)
tree: 526af73e88113346098ab2f3c6b429225bdfa8f3 /xf86drm.c
parent: 2e67fef5f6c5870a7cdaa010496c84dc91d34e53 (diff)
download: libdrm-7d6a1759900ffde0a7aac2fa0cbd7c2bf4989476.tar.gz
libdrm-7d6a1759900ffde0a7aac2fa0cbd7c2bf4989476.tar.bz2
libdrm-7d6a1759900ffde0a7aac2fa0cbd7c2bf4989476.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/xf86drm.c b/xf86drm.c
index 0185e985..edfeb347 100644
--- a/xf86drm.c
+++ b/xf86drm.c
@@ -1351,7 +1351,12 @@ drm_public drmBufInfoPtr drmGetBufInfo(int fd)
 
         retval = drmMalloc(sizeof(*retval));
         retval->count = info.count;
-        retval->list  = drmMalloc(info.count * sizeof(*retval->list));
+        if (!(retval->list = drmMalloc(info.count * sizeof(*retval->list)))) {
+                drmFree(retval);
+                drmFree(info.list);
+                return NULL;
+        }
+
         for (i = 0; i < info.count; i++) {
             retval->list[i].count     = info.list[i].count;
             retval->list[i].size      = info.list[i].size;
author	Alistair Delva <adelva@google.com>	2021-03-02 08:18:06 -0800
committer	Alistair Delva <adelva@google.com>	2021-03-02 08:29:27 -0800
commit	7d6a1759900ffde0a7aac2fa0cbd7c2bf4989476 (patch)
tree	526af73e88113346098ab2f3c6b429225bdfa8f3 /xf86drm.c
parent	2e67fef5f6c5870a7cdaa010496c84dc91d34e53 (diff)
download	libdrm-7d6a1759900ffde0a7aac2fa0cbd7c2bf4989476.tar.gz libdrm-7d6a1759900ffde0a7aac2fa0cbd7c2bf4989476.tar.bz2 libdrm-7d6a1759900ffde0a7aac2fa0cbd7c2bf4989476.zip