From: Lin Ming Date: Tue, 27 Apr 2010 03:46:25 +0000 (+0800) Subject: ACPICA: Prevent possible allocation overrun during object copy X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=17b82327f3e7ab5a068f8019768008ee82d912be;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git ACPICA: Prevent possible allocation overrun during object copy Original code did not handle the case where the object to be copied was a namespace node. Signed-off-by: Lin Ming Signed-off-by: Bob Moore Signed-off-by: Len Brown --- diff --git a/drivers/acpi/acpica/utcopy.c b/drivers/acpi/acpica/utcopy.c index 97ec3621e71d..6fef83f04bcd 100644 --- a/drivers/acpi/acpica/utcopy.c +++ b/drivers/acpi/acpica/utcopy.c @@ -677,16 +677,24 @@ acpi_ut_copy_simple_object(union acpi_operand_object *source_desc, u16 reference_count; union acpi_operand_object *next_object; acpi_status status; + acpi_size copy_size; /* Save fields from destination that we don't want to overwrite */ reference_count = dest_desc->common.reference_count; next_object = dest_desc->common.next_object; - /* Copy the entire source object over the destination object */ + /* + * Copy the entire source object over the destination object. + * Note: Source can be either an operand object or namespace node. + */ + copy_size = sizeof(union acpi_operand_object); + if (ACPI_GET_DESCRIPTOR_TYPE(source_desc) == ACPI_DESC_TYPE_NAMED) { + copy_size = sizeof(struct acpi_namespace_node); + } - ACPI_MEMCPY((char *)dest_desc, (char *)source_desc, - sizeof(union acpi_operand_object)); + ACPI_MEMCPY(ACPI_CAST_PTR(char, dest_desc), + ACPI_CAST_PTR(char, source_desc), copy_size); /* Restore the saved fields */