From 849cced5cad5a5a8ac89b4d6f0245a6b4e015a6b Mon Sep 17 00:00:00 2001
From: Owain Ainsworth <oga@cvs.openbsd.org>
Date: Tue, 22 Feb 2011 14:16:39 +0000
Subject: In drm_modeset_ctl make sure to check the (now signed) value is > 0
 as well as < the array length.

ok kettenis@, mikeb@ (who suggested the same fix) and marco@.

"get that fixed" deraadt@.
---
 sys/dev/pci/drm/drm_irq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/dev/pci/drm/drm_irq.c b/sys/dev/pci/drm/drm_irq.c
index 0c49c987cbd..c67d0912dbf 100644
--- a/sys/dev/pci/drm/drm_irq.c
+++ b/sys/dev/pci/drm/drm_irq.c
@@ -286,7 +286,7 @@ drm_modeset_ctl(struct drm_device *dev, void *data, struct drm_file *file_priv)
 		return (0);
 
 	crtc = modeset->crtc;
-	if (crtc >= dev->vblank->vb_num)
+	if (crtc >= dev->vblank->vb_num || crtc < 0)
 		return (EINVAL);
 
 	vbl = &dev->vblank->vb_crtcs[crtc];
-- 
cgit v1.2.3