1 diff -Nur c3000_pre/linux/drivers/char/drm/r128_state.c c3000_work/linux/drivers/char/drm/r128_state.c
2 --- c3000_pre/linux/drivers/char/drm/r128_state.c 2004-08-21 09:48:33.000000000 +0900
3 +++ c3000_work/linux/drivers/char/drm/r128_state.c 2004-12-16 21:11:04.000000000 +0900
5 * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
6 * DEALINGS IN THE SOFTWARE.
8 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
9 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
10 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
11 + * RED HAT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
12 + * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
13 + * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
14 + * DEALINGS IN THE SOFTWARE.
16 + * THIS SOFTWARE IS NOT INTENDED FOR USE IN SAFETY CRITICAL SYSTEMS
19 * Gareth Hughes <gareth@valinux.com>
21 + * Memory allocation size checks added 14/01/2003, Alan Cox <alan@redhat.com>
22 + * Memory allocation size checks enhanced 16/02/2004, Thomas Biege <thomas@suse.de>
28 DRM_DEBUG( "%s\n", __FUNCTION__ );
32 + if( count > 4096 || count <= 0)
34 if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
41 + if( count > 4096 || count <= 0)
44 x = kmalloc( count * sizeof(*x), GFP_KERNEL );
48 DRM_DEBUG( "%s\n", __FUNCTION__ );
52 + if ( count > 4096 || count <= 0)
54 if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
57 @@ -1152,9 +1175,14 @@
58 DRM_DEBUG( "%s\n", __FUNCTION__ );
61 + if ( count > 4096 || count <= 0)
63 if ( count > dev_priv->depth_pitch ) {
64 count = dev_priv->depth_pitch;
66 + if( count * sizeof(int) <= 0 || count * sizeof(*x) <= 0 || count * sizeof(*y) <= 0)
70 x = kmalloc( count * sizeof(*x), GFP_KERNEL );
72 diff -Nur c3000_pre/linux/drivers/char/drm-4.0/r128_state.c c3000_work/linux/drivers/char/drm-4.0/r128_state.c
73 --- c3000_pre/linux/drivers/char/drm-4.0/r128_state.c 2004-08-21 09:48:33.000000000 +0900
74 +++ c3000_work/linux/drivers/char/drm-4.0/r128_state.c 2004-12-16 21:11:04.000000000 +0900
77 * Gareth Hughes <gareth@valinux.com>
79 + * Memory allocation size checks added 16/02/2004, Thomas Biege <thomas@suse.de>
83 #define __NO_VERSION__
89 + if( count > 4096 || count <= 0)
91 if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
98 + if( count > 4096 || count <= 0 || count * sizeof(*x) <= 0 ||
99 + count * sizeof(*y) <= 0)
102 x = kmalloc( count * sizeof(*x), 0 );
104 @@ -1178,6 +1186,9 @@
109 + if ( count > 4096 || count <= 0)
111 if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
114 @@ -1235,9 +1246,13 @@
118 + if ( count > 4096 || count <= 0)
120 if ( count > dev_priv->depth_pitch ) {
121 count = dev_priv->depth_pitch;
123 + if( count * sizeof(int) <= 0 || count * sizeof(*x) <= 0 || count * sizeof(*y) <= 0)
126 x = kmalloc( count * sizeof(*x), 0 );
128 diff -Nur c3000_pre/linux/drivers/sound/sb_audio.c c3000_work/linux/drivers/sound/sb_audio.c
129 --- c3000_pre/linux/drivers/sound/sb_audio.c 2004-08-21 09:48:54.000000000 +0900
130 +++ c3000_work/linux/drivers/sound/sb_audio.c 2004-12-16 21:11:04.000000000 +0900
132 c -= locallen; p += locallen;
134 /* used = ( samples * 16 bits size ) */
136 + *used = (max_in > (max_out << 1)) ? (max_out << 1) : max_in;
137 /* returned = ( samples * 8 bits size ) */
140 diff -Nur c3000_pre/linux/fs/isofs/dir.c c3000_work/linux/fs/isofs/dir.c
141 --- c3000_pre/linux/fs/isofs/dir.c 2004-08-21 09:48:59.000000000 +0900
142 +++ c3000_work/linux/fs/isofs/dir.c 2004-12-16 21:11:04.000000000 +0900
146 /* Convert remaining ';' to '.' */
148 + /* Also '/' to '.' (broken Acorn-generated ISO9660 images) */
149 + if (c == ';' || c == '/')
153 diff -Nur c3000_pre/linux/fs/jbd/journal.c c3000_work/linux/fs/jbd/journal.c
154 --- c3000_pre/linux/fs/jbd/journal.c 2004-08-21 09:48:59.000000000 +0900
155 +++ c3000_work/linux/fs/jbd/journal.c 2004-12-16 21:11:04.000000000 +0900
158 bh = getblk(journal->j_dev, blocknr, journal->j_blocksize);
160 + memset(bh->b_data, 0, journal->j_blocksize);
161 BUFFER_TRACE(bh, "return this buffer");
162 return journal_add_journal_head(bh);
164 diff -Nur c3000_pre/linux/fs/ncpfs/dir.c c3000_work/linux/fs/ncpfs/dir.c
165 --- c3000_pre/linux/fs/ncpfs/dir.c 2004-08-21 09:49:00.000000000 +0900
166 +++ c3000_work/linux/fs/ncpfs/dir.c 2004-12-16 21:11:04.000000000 +0900
168 struct ncp_server *server;
169 struct inode *dir = dentry->d_parent->d_inode;
170 struct ncp_entry_info finfo;
171 - int res, val = 0, len = dentry->d_name.len + 1;
173 + int res, val = 0, len;
174 + __u8 __name[NCP_MAXPATHLEN + 1];
176 if (!dentry->d_inode || !dir)
178 @@ -291,14 +291,15 @@
179 dentry->d_parent->d_name.name, dentry->d_name.name,
180 NCP_GET_AGE(dentry));
182 + len = sizeof(__name);
183 if (ncp_is_server_root(dir)) {
184 res = ncp_io2vol(server, __name, &len, dentry->d_name.name,
186 + dentry->d_name.len, 1);
188 res = ncp_lookup_volume(server, __name, &(finfo.i));
190 res = ncp_io2vol(server, __name, &len, dentry->d_name.name,
191 - len-1, !ncp_preserve_case(dir));
192 + dentry->d_name.len, !ncp_preserve_case(dir));
194 res = ncp_obtain_info(server, dir, __name, &(finfo.i));
201 + __u8 __name[NCP_MAXPATHLEN + 1];
204 + qname.len = sizeof(__name);
205 if (ncp_vol2io(NCP_SERVER(inode), __name, &qname.len,
206 entry->i.entryName, entry->i.nameLen,
207 !ncp_preserve_entry_case(inode, entry->i.NSCreator)))
208 @@ -705,16 +706,19 @@
210 struct ncp_server* server = NCP_SBP(sb);
211 struct nw_info_struct i;
212 - int result, len = strlen(server->m.mounted_vol) + 1;
216 if (ncp_single_volume(server)) {
219 + __u8 __name[NCP_MAXPATHLEN + 1];
222 - if (ncp_io2vol(server, __name, &len, server->m.mounted_vol,
224 + len = sizeof(__name);
225 + result = ncp_io2vol(server, __name, &len, server->m.mounted_vol,
226 + strlen(server->m.mounted_vol), 1);
230 if (ncp_lookup_volume(server, __name, &i)) {
231 PPRINTK("ncp_conn_logged_in: %s not found\n",
232 server->m.mounted_vol);
234 struct ncp_server *server = NCP_SERVER(dir);
235 struct inode *inode = NULL;
236 struct ncp_entry_info finfo;
237 - int error, res, len = dentry->d_name.len + 1;
239 + int error, res, len;
240 + __u8 __name[NCP_MAXPATHLEN + 1];
243 if (!ncp_conn_valid(server))
244 @@ -755,14 +759,15 @@
245 PPRINTK("ncp_lookup: server lookup for %s/%s\n",
246 dentry->d_parent->d_name.name, dentry->d_name.name);
248 + len = sizeof(__name);
249 if (ncp_is_server_root(dir)) {
250 res = ncp_io2vol(server, __name, &len, dentry->d_name.name,
252 + dentry->d_name.len, 1);
254 res = ncp_lookup_volume(server, __name, &(finfo.i));
256 res = ncp_io2vol(server, __name, &len, dentry->d_name.name,
257 - len-1, !ncp_preserve_case(dir));
258 + dentry->d_name.len, !ncp_preserve_case(dir));
260 res = ncp_obtain_info(server, dir, __name, &(finfo.i));
264 struct ncp_server *server = NCP_SERVER(dir);
265 struct ncp_entry_info finfo;
266 - int error, result, len = dentry->d_name.len + 1;
267 + int error, result, len;
270 + __u8 __name[NCP_MAXPATHLEN + 1];
272 PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
273 dentry->d_parent->d_name.name, dentry->d_name.name, mode);
277 ncp_age_dentry(server, dentry);
278 + len = sizeof(__name);
279 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
280 - len-1, !ncp_preserve_case(dir));
281 + dentry->d_name.len, !ncp_preserve_case(dir));
287 struct ncp_entry_info finfo;
288 struct ncp_server *server = NCP_SERVER(dir);
289 - int error, len = dentry->d_name.len + 1;
292 + __u8 __name[NCP_MAXPATHLEN + 1];
294 DPRINTK("ncp_mkdir: making %s/%s\n",
295 dentry->d_parent->d_name.name, dentry->d_name.name);
299 ncp_age_dentry(server, dentry);
300 + len = sizeof(__name);
301 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
302 - len-1, !ncp_preserve_case(dir));
303 + dentry->d_name.len, !ncp_preserve_case(dir));
308 static int ncp_rmdir(struct inode *dir, struct dentry *dentry)
310 struct ncp_server *server = NCP_SERVER(dir);
311 - int error, result, len = dentry->d_name.len + 1;
313 + int error, result, len;
314 + __u8 __name[NCP_MAXPATHLEN + 1];
316 DPRINTK("ncp_rmdir: removing %s/%s\n",
317 dentry->d_parent->d_name.name, dentry->d_name.name);
319 if (!d_unhashed(dentry))
322 + len = sizeof(__name);
323 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
324 - len-1, !ncp_preserve_case(dir));
325 + dentry->d_name.len, !ncp_preserve_case(dir));
329 @@ -1022,9 +1030,8 @@
331 struct ncp_server *server = NCP_SERVER(old_dir);
333 - int old_len = old_dentry->d_name.len + 1;
334 - int new_len = new_dentry->d_name.len + 1;
335 - __u8 __old_name[old_len], __new_name[new_len];
336 + int old_len, new_len;
337 + __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
339 DPRINTK("ncp_rename: %s/%s to %s/%s\n",
340 old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
341 @@ -1037,14 +1044,16 @@
342 ncp_age_dentry(server, old_dentry);
343 ncp_age_dentry(server, new_dentry);
345 + old_len = sizeof(__old_name);
346 error = ncp_io2vol(server, __old_name, &old_len,
347 - old_dentry->d_name.name, old_len-1,
348 + old_dentry->d_name.name, old_dentry->d_name.len,
349 !ncp_preserve_case(old_dir));
353 + new_len = sizeof(__new_name);
354 error = ncp_io2vol(server, __new_name, &new_len,
355 - new_dentry->d_name.name, new_len-1,
356 + new_dentry->d_name.name, new_dentry->d_name.len,
357 !ncp_preserve_case(new_dir));