From 772812ee525dd4f84b3bca81644b76ed28bd2493 Mon Sep 17 00:00:00 2001
From: miod <miod@openbsd.org>
Date: Tue, 29 Jul 2008 19:13:56 +0000
Subject: [PATCH] Stricter bounds checking for values controlling loops or
 memory allocations, which may come from userland via ioctls. ok oga@

---
 sys/dev/pci/drm/i915_dma.c     | 10 ++++++++--
 sys/dev/pci/drm/radeon_state.c |  2 ++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/sys/dev/pci/drm/i915_dma.c b/sys/dev/pci/drm/i915_dma.c
index 27d152cb727..6690aac215d 100644
--- a/sys/dev/pci/drm/i915_dma.c
+++ b/sys/dev/pci/drm/i915_dma.c
@@ -554,8 +554,8 @@ static int i915_dispatch_cmdbuffer(struct drm_device * dev,
 	int nbox = cmd->num_cliprects;
 	int i = 0, count, ret;
 
-	if (cmd->sz & 0x3) {
-		DRM_ERROR("alignment\n");
+	if (cmd->sz <= 0 || (cmd->sz & 0x3) != 0) {
+		DRM_ERROR("negative value or incorrect alignment\n");
 		return -EINVAL;
 	}
 
@@ -746,6 +746,9 @@ static int i915_batchbuffer(struct drm_device *dev, void *data,
 	DRM_DEBUG("i915 batchbuffer, start %x used %d cliprects %d\n",
 		  batch->start, batch->used, batch->num_cliprects);
 
+	if (batch->num_cliprects < 0)
+		return -EINVAL;
+
 	LOCK_TEST_WITH_RETURN(dev, file_priv);
 
 	if (batch->num_cliprects && DRM_VERIFYAREA_READ(batch->cliprects,
@@ -771,6 +774,9 @@ static int i915_cmdbuffer(struct drm_device *dev, void *data,
 	DRM_DEBUG("i915 cmdbuffer, buf %p sz %d cliprects %d\n",
 		  cmdbuf->buf, cmdbuf->sz, cmdbuf->num_cliprects);
 
+	if (cmdbuf->num_cliprects < 0)
+		return -EINVAL;
+
 	LOCK_TEST_WITH_RETURN(dev, file_priv);
 
 	if (cmdbuf->num_cliprects &&
diff --git a/sys/dev/pci/drm/radeon_state.c b/sys/dev/pci/drm/radeon_state.c
index c50ac248dd7..5be3ffd0ebb 100644
--- a/sys/dev/pci/drm/radeon_state.c
+++ b/sys/dev/pci/drm/radeon_state.c
@@ -3147,6 +3147,8 @@ static int radeon_cp_setparam(struct drm_device *dev, void *data, struct drm_fil
 		dev_priv->new_memmap = sp->value;
 		break;
 	case RADEON_SETPARAM_PCIGART_TABLE_SIZE:
+		if (sp->value < 0)
+			return -EINVAL;
 		dev_priv->gart_info.table_size = sp->value;
 		if (dev_priv->gart_info.table_size < RADEON_PCIGART_TABLE_SIZE)
 			dev_priv->gart_info.table_size = RADEON_PCIGART_TABLE_SIZE;
-- 
2.20.1