ACPICA: Fix integer overflow in acpi_ex_opcode_3A_1T_1R() (mid_op)

author ikaros <void0red@gmail.com>

Wed, 27 May 2026 18:02:06 +0000 (20:02 +0200)

committer Rafael J. Wysocki <rafael.j.wysocki@intel.com>

Wed, 27 May 2026 18:18:46 +0000 (20:18 +0200)
author ikaros <void0red@gmail.com>
Wed, 27 May 2026 18:02:06 +0000 (20:02 +0200)
committer Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Wed, 27 May 2026 18:18:46 +0000 (20:18 +0200)
diff --git a/drivers/acpi/acpica/exoparg3.c b/drivers/acpi/acpica/exoparg3.c

index 2fc8070814e321eab779785819400059d58d9da3..2790bf1a12e78f06930a3712ffc86e161d14ad1e 100644 (file)
--- a/drivers/acpi/acpica/exoparg3.c
+++ b/drivers/acpi/acpica/exoparg3.c
@@ -159,7 +159,7 @@ acpi_status acpi_ex_opcode_3A_1T_1R(struct acpi_walk_state *walk_state)
  
                 /* Truncate request if larger than the actual String/Buffer */
  
-               else if ((index + length) > operand[0]->string.length) {
+               else if ((index + length) > operand[0]->string.length || (index + length) < index) {    /* Check for overflow */
                         length =
                             (acpi_size)operand[0]->string.length -
                             (acpi_size)index;
author	ikaros <void0red@gmail.com>
	Wed, 27 May 2026 18:02:06 +0000 (20:02 +0200)
committer	Rafael J. Wysocki <rafael.j.wysocki@intel.com>
	Wed, 27 May 2026 18:18:46 +0000 (20:18 +0200)