summaryrefslogtreecommitdiff
path: root/drivers/staging
diff options
context:
space:
mode:
Diffstat (limited to 'drivers/staging')
-rw-r--r--drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
index f72eebc71dd8..94590ac5b3cf 100644
--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
@@ -381,9 +381,18 @@ create_pagelist(char __user *buf, size_t count, unsigned short type,
int run, addridx, actual_pages;
unsigned long *need_release;
+ if (count >= INT_MAX - PAGE_SIZE)
+ return NULL;
+
offset = (unsigned int)buf & (PAGE_SIZE - 1);
num_pages = (count + offset + PAGE_SIZE - 1) / PAGE_SIZE;
+ if (num_pages > (SIZE_MAX - sizeof(PAGELIST_T) -
+ sizeof(struct vchiq_pagelist_info)) /
+ (sizeof(u32) + sizeof(pages[0]) +
+ sizeof(struct scatterlist)))
+ return NULL;
+
*ppagelist = NULL;
/* Allocate enough storage to hold the page pointers and the page
generated by cgit v1.2.3 (git 2.0.4) at 2024-05-25 18:35:28 +0000