+3 -1

drivers/video/gbefb.c

reviewed

··· 1016 1016 /* check range */ 1017 1017 if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT)) 1018 1018 return -EINVAL; 1019 1019 - if (offset + size > gbe_mem_size) 1019 1019 + if (size > gbe_mem_size) 1020 1020 + return -EINVAL; 1021 1021 + if (offset > gbe_mem_size - size) 1020 1022 return -EINVAL; 1021 1023 1022 1024 /* remap using the fastest write-through mode on architecture */

+5 -1

drivers/video/smscufx.c

reviewed

··· 782 782 unsigned long offset = vma->vm_pgoff << PAGE_SHIFT; 783 783 unsigned long page, pos; 784 784 785 785 - if (offset + size > info->fix.smem_len) 785 785 + if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT)) 786 786 + return -EINVAL; 787 787 + if (size > info->fix.smem_len) 788 788 + return -EINVAL; 789 789 + if (offset > info->fix.smem_len - size) 786 790 return -EINVAL; 787 791 788 792 pos = (unsigned long)info->fix.smem_start + offset;

+5 -1

drivers/video/udlfb.c

reviewed

··· 324 324 unsigned long offset = vma->vm_pgoff << PAGE_SHIFT; 325 325 unsigned long page, pos; 326 326 327 327 - if (offset + size > info->fix.smem_len) 327 327 + if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT)) 328 328 + return -EINVAL; 329 329 + if (size > info->fix.smem_len) 330 330 + return -EINVAL; 331 331 + if (offset > info->fix.smem_len - size) 328 332 return -EINVAL; 329 333 330 334 pos = (unsigned long)info->fix.smem_start + offset;

+5 -2

drivers/video/vfb.c

reviewed

··· 420 420 unsigned long offset = vma->vm_pgoff << PAGE_SHIFT; 421 421 unsigned long page, pos; 422 422 423 423 - if (offset + size > info->fix.smem_len) { 423 423 + if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT)) 424 424 return -EINVAL; 425 425 - } 425 425 + if (size > info->fix.smem_len) 426 426 + return -EINVAL; 427 427 + if (offset > info->fix.smem_len - size) 428 428 + return -EINVAL; 426 429 427 430 pos = (unsigned long)info->fix.smem_start + offset; 428 431