Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
integer overflow in sde_connector of perseus-p-oss #1000
There is a suspected integer overflow bug in the _sde_debugfs_conn_cmd_tx_write method in drivers/gpu/drm/msm/sde/sde_connector.c. When the 3rd argument `count' is set to size_t-1, the addition of 1 in kmalloc (line 1548) will result in a wrap around zero because of an integer overflow. kmalloc will return ZERO_SIZE_PTR. The subsequent check which only considers NULL pointer (line 1549) will be bypassed.