From 034ccd3ae52e3a6cfaff79c732187534d711e49b Mon Sep 17 00:00:00 2001
From: Marcin Chrzanowski <marcin.j.chrzanowski@gmail.com>
Date: Mon, 28 May 2018 21:24:02 +0200
Subject: Update argument checking

---
 surface.c | 45 ++++++++++++++++++++++++++++++++++++---------
 1 file changed, 36 insertions(+), 9 deletions(-)

diff --git a/surface.c b/surface.c
index 35c68bc..f4fa64f 100644
--- a/surface.c
+++ b/surface.c
@@ -371,6 +371,8 @@ long fill_rects(struct file *filp, unsigned long arg)
 	return param->rects_num;
 }
 
+struct file_operations surface_fops;
+
 long copy_rects(struct file *filp, unsigned long arg)
 {
 	struct surface_data *dst_data;
@@ -379,16 +381,22 @@ long copy_rects(struct file *filp, unsigned long arg)
 	struct doomdev_copy_rect *rects;
 	struct fd src_fds;
 	int i;
+	int err;
 
 	dst_data = filp->private_data;
 	param = (struct doomdev_surf_ioctl_copy_rects *) arg;
 	rects = (struct doomdev_copy_rect *) param->rects_ptr;
 
 	src_fds = fdget(param->surf_src_fd);
-	src_data = src_fds.file->private_data;
+	if (src_fds.file->f_op != &surface_fops) {
+		err = -EINVAL;
+		goto error_fdget;
+	}
 
+	src_data = src_fds.file->private_data;
 	if (dst_data->doom_data != src_data->doom_data) {
-		return -EINVAL;
+		err = -EINVAL;
+		goto error_fdget;
 	}
 
 	mutex_lock(&dst_data->doom_data->cmd_mutex);
@@ -397,11 +405,14 @@ long copy_rects(struct file *filp, unsigned long arg)
 		copy_rect(dst_data, src_data, rects[i]);
 	}
 
+	err = param->rects_num;
+
 	mutex_unlock(&dst_data->doom_data->cmd_mutex);
 
+error_fdget:
 	fdput(src_fds);
 
-	return param->rects_num;
+	return err;
 }
 
 long draw_columns(struct file *filp, unsigned long arg)
@@ -514,16 +525,22 @@ long draw_spans(struct file *filp, unsigned long arg)
 	struct doomdev_span *spans;
 	struct fd flat_fds;
 	int i;
+	int err;
 
 	surface_data = filp->private_data;
 
 	param = (struct doomdev_surf_ioctl_draw_spans *) arg;
 
 	flat_fds = fdget(param->flat_fd);
-	flat_data = flat_fds.file->private_data;
+	if (flat_fds.file->f_op != &flat_fops) {
+		err = -EINVAL;
+		goto error_fdget;
+	}
 
+	flat_data = flat_fds.file->private_data;
 	if (surface_data->doom_data != flat_data->doom_data) {
-		return -EINVAL;
+		err = -EINVAL;
+		goto error_fdget;
 	}
 
 	spans = (struct doomdev_span *) param->spans_ptr;
@@ -534,11 +551,14 @@ long draw_spans(struct file *filp, unsigned long arg)
 		draw_span(surface_data, flat_data, spans[i]);
 	}
 
+	err = param->spans_num;
+
 	mutex_unlock(&surface_data->doom_data->cmd_mutex);
 
+error_fdget:
 	fdput(flat_fds);
 
-	return param->spans_num;
+	return err;
 }
 
 long do_draw_background(struct file *filp, unsigned long arg)
@@ -547,16 +567,22 @@ long do_draw_background(struct file *filp, unsigned long arg)
 	struct surface_data *surface_data;
 	struct flat_data *flat_data;
 	struct fd flat_fds;
+	int err = 0;
 
 	surface_data = filp->private_data;
 
 	param = (struct doomdev_surf_ioctl_draw_background *) arg;
 
 	flat_fds = fdget(param->flat_fd);
-	flat_data = flat_fds.file->private_data;
+	if (flat_fds.file->f_op != &flat_fops) {
+		err = -EINVAL;
+		goto error_fdget;
+	}
 
+	flat_data = flat_fds.file->private_data;
 	if (surface_data->doom_data != flat_data->doom_data) {
-		return -EINVAL;
+		err = -EINVAL;
+		goto error_fdget;
 	}
 
 	mutex_lock(&surface_data->doom_data->cmd_mutex);
@@ -565,9 +591,10 @@ long do_draw_background(struct file *filp, unsigned long arg)
 
 	mutex_unlock(&surface_data->doom_data->cmd_mutex);
 
+error_fdget:
 	fdput(flat_fds);
 
-	return 0;
+	return err;
 }
 
 long surface_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
-- 
cgit v1.2.3