[PATCH] framebuffer bugfix

From: Arjan van de Ven <arjanv@redhat.com> Patch below fixes a thinko in the frame buffer drivers; the code does cursor.image.data = kmalloc(size, GFP_KERNEL); .... cursor.mask = kmalloc(size, GFP_KERNEL); .... if (copy_from_user(&cursor.image.data, sprite->image.data, size) || copy_from_user(cursor.mask, sprite->mask, size)) { .... where it's clear that the & in the first copy_from_user is utterly bogus since the destination is the content of the newly allocated buffer, and not the pointer to it as the code does.

[PATCH] framebuffer bugfix
From: Arjan van de Ven <arjanv@redhat.com> Patch below fixes a thinko in the frame buffer drivers; the code does cursor.image.data = kmalloc(size, GFP_KERNEL); .... cursor.mask = kmalloc(size, GFP_KERNEL); .... if (copy_from_user(&cursor.image.data, sprite->image.data, size) || copy_from_user(cursor.mask, sprite->mask, size)) { .... where it's clear that the & in the first copy_from_user is utterly bogus since the destination is the content of the newly allocated buffer, and not the pointer to it as the code does.
e01d652a · Andrew Morton · Linus Torvalds · 7285840f · e01d652a
Commit e01d652a authored Apr 12, 2004 by Andrew Morton Committed by Linus Torvalds Apr 12, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/video/fbmem.c drivers/video/fbmem.c +1 -1

No files found.
--- a/drivers/video/fbmem.c
+++ b/drivers/video/fbmem.c
@@ -911,7 +911,7 @@ fb_cursor(struct fb_info *info, struct fb_cursor *sprite)
 			return -ENOMEM;
 		}
-		if (copy_from_user(&cursor.image.data, sprite->image.data, size) ||
+		if (copy_from_user(cursor.image.data, sprite->image.data, size) ||
 		    copy_from_user(cursor.mask, sprite->mask, size)) { 
 			kfree(cursor.image.data);
 			kfree(cursor.mask);