From f0f4bd790d1f6409084d9a1a79beba1d7a8baf7d Mon Sep 17 00:00:00 2001
From: Thomas White <taw@bitwiz.org.uk>
Date: Wed, 9 Sep 2009 15:41:02 +0100
Subject: Sanitise size and alignment of GEM objects

Signed-off-by: Thomas White <taw@bitwiz.org.uk>
---
 drivers/mfd/glamo/glamo-buffer.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'drivers/mfd')

diff --git a/drivers/mfd/glamo/glamo-buffer.c b/drivers/mfd/glamo/glamo-buffer.c
index ae8eeadb25a..b7aceaa3a86 100644
--- a/drivers/mfd/glamo/glamo-buffer.c
+++ b/drivers/mfd/glamo/glamo-buffer.c
@@ -100,10 +100,20 @@ int glamo_ioctl_gem_create(struct drm_device *dev, void *data,
 {
 	struct drm_glamo_gem_create *args = data;
 	struct drm_gem_object *obj;
-	int handle, ret;
+	int handle, ret, alignment, size;
+
+	/* Alignment must be a non-zero multiple of 2 */
+	alignment = args->alignment;
+	if ( alignment == 2 ) alignment = 2;
+	if ( alignment % 2 ) alignment *= 2;
+
+	/* Size must be similarly sanitised */
+	size = args->size;
+	if ( size < 2 ) size = 2;
+	if ( size % 2 ) size += 1;
 
 	/* Create an object */
-	obj = glamo_gem_object_alloc(dev, args->size, args->alignment);
+	obj = glamo_gem_object_alloc(dev, size, alignment);
 	if ( obj == NULL ) return -ENOMEM;
 
 	/* Create a handle for it */
-- 
cgit v1.2.3