projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
import PULS_20180308
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / drivers / misc / mediatek / gpu / ged / src / ged_main.c
diff --git a/drivers/misc/mediatek/gpu/ged/src/ged_main.c b/drivers/misc/mediatek/gpu/ged/src/ged_main.c
index 59fe5b84a4de7fee0e03e4cfe403b330bae382ef..bca785bc4c5e0ce22eaccccfbb4f23cd867f7296 100644 (file)
--- a/drivers/misc/mediatek/gpu/ged/src/ged_main.c
+++ b/drivers/misc/mediatek/gpu/ged/src/ged_main.c
@@ -84,7 +84,15 @@ static long ged_dispatch(GED_BRIDGE_PACKAGE *psBridgePackageKM)
     typedef int (ged_bridge_func_type)(void*, void*);
     ged_bridge_func_type* pFunc = NULL;
     
-    if (psBridgePackageKM->i32InBufferSize + psBridgePackageKM->i32OutBufferSize < GED_IOCTL_PARAM_BUF_SIZE)
+    /* We make sure the both size and the sum of them are GE 0 integer.
+     * The sum will not overflow to zero, because we will get zero from two GE 0 integers
+     * if and only if they are both zero in a 2's complement numeral system.
+     * That is: if overflow happen, the sum will be a negative number.
+     */
+    if (psBridgePackageKM->i32InBufferSize >= 0 && psBridgePackageKM->i32OutBufferSize >= 0
+        && psBridgePackageKM->i32InBufferSize + psBridgePackageKM->i32OutBufferSize >= 0
+        && psBridgePackageKM->i32InBufferSize + psBridgePackageKM->i32OutBufferSize
+        < GED_IOCTL_PARAM_BUF_SIZE)
     {
         pvInt = gvIOCTLParamBuf;
         pvOut = (void*)((char*)pvInt + (uintptr_t)psBridgePackageKM->i32InBufferSize);
kernel source for telekom puls (alcatel/mediatek)