There is a suspected integer overflow bug in the _sde_debugfs_conn_cmd_tx_write method in drivers/gpu/drm/msm/sde/sde_connector.c. When the 3rd argument `count' is set to size_t-1, the addition of 1 in kmalloc (line 1548) will result in a wrap around zero because of an integer overflow. kmalloc will return ZERO_SIZE_PTR. The subsequent check which only considers NULL pointer (line 1549) will be bypassed.
The text was updated successfully, but these errors were encountered:
There is a suspected integer overflow bug in the _sde_debugfs_conn_cmd_tx_write method in drivers/gpu/drm/msm/sde/sde_connector.c. When the 3rd argument `count' is set to size_t-1, the addition of 1 in kmalloc (line 1548) will result in a wrap around zero because of an integer overflow. kmalloc will return ZERO_SIZE_PTR. The subsequent check which only considers NULL pointer (line 1549) will be bypassed.
The text was updated successfully, but these errors were encountered: