mtk: gud: upstream update (up to ~june 17)

1 files changed, 12 insertions, 5 deletions

diff --git a/drivers/misc/mediatek/gpu/ged/src/ged_main.c b/drivers/misc/mediatek/gpu/ged/src/ged_main.c
index eff199d18..593d6d4a6 100644
--- a/drivers/misc/mediatek/gpu/ged/src/ged_main.c
+++ b/drivers/misc/mediatek/gpu/ged/src/ged_main.c
@@ -84,14 +84,21 @@ static long ged_dispatch(GED_BRIDGE_PACKAGE *psBridgePackageKM)
 {
     int ret = -EFAULT;
     void *pvInt, *pvOut;
-    typedef int (ged_bridge_func_type)(void*, void*);
+    typedef int (ged_bridge_func_type)(void *, void *);
     ged_bridge_func_type* pFunc = NULL;
-    
-    if ((psBridgePackageKM->i32InBufferSize >=0) && (psBridgePackageKM->i32OutBufferSize >=0) &&
-        (psBridgePackageKM->i32InBufferSize + psBridgePackageKM->i32OutBufferSize < GED_IOCTL_PARAM_BUF_SIZE))
+
+	/* We make sure the both size and the sum of them are GE 0 integer.
+	 * The sum will not overflow to zero, because we will get zero from two GE 0 integers
+	 * if and only if they are both zero in a 2's complement numeral system.
+	 * That is: if overflow happen, the sum will be a negative number.
+	 */
+    if (psBridgePackageKM->i32InBufferSize >= 0 && psBridgePackageKM->i32OutBufferSize >= 0
+            && psBridgePackageKM->i32InBufferSize + psBridgePackageKM->i32OutBufferSize >= 0
+            && psBridgePackageKM->i32InBufferSize + psBridgePackageKM->i32OutBufferSize
+            < GED_IOCTL_PARAM_BUF_SIZE)
     {
         pvInt = gvIOCTLParamBuf;
-        pvOut = (void*)((char*)pvInt + (uintptr_t)psBridgePackageKM->i32InBufferSize);
+        pvOut = (void *)((char *)pvInt + (uintptr_t)psBridgePackageKM->i32InBufferSize);
         if (psBridgePackageKM->i32InBufferSize > 0)
         {
             if (0 != ged_copy_from_user(pvInt, psBridgePackageKM->pvParamIn, psBridgePackageKM->i32InBufferSize))