From 09bc9ca95bd86a999a6d8e022d0b57f84dcd2248 Mon Sep 17 00:00:00 2001
From: Frederic Weisbecker <fweisbec@gmail.com>
Date: Sat, 21 May 2011 20:08:15 +0200
Subject: [PATCH] --- yaml --- r: 248590 b: refs/heads/master c:
 98e1da905cbe64bb023a165c7c01eef5e800609e h: refs/heads/master v: v3

---
 [refs]                        |  2 +-
 trunk/tools/perf/util/evsel.c | 26 ++++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/[refs] b/[refs]
index 5dcf8e1f242e..d75e083f5ce8 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: a285412479b6d5af3e48273a92ec2f1987df8cd1
+refs/heads/master: 98e1da905cbe64bb023a165c7c01eef5e800609e
diff --git a/trunk/tools/perf/util/evsel.c b/trunk/tools/perf/util/evsel.c
index bfce8bf642fa..ee0fe0dffa71 100644
--- a/trunk/tools/perf/util/evsel.c
+++ b/trunk/tools/perf/util/evsel.c
@@ -303,6 +303,17 @@ static int perf_event__parse_id_sample(const union perf_event *event, u64 type,
 	return 0;
 }
 
+static bool sample_overlap(const union perf_event *event,
+			   const void *offset, u64 size)
+{
+	const void *base = event;
+
+	if (offset + size > base + event->header.size)
+		return true;
+
+	return false;
+}
+
 int perf_event__parse_sample(const union perf_event *event, u64 type,
 			     int sample_size, bool sample_id_all,
 			     struct perf_sample *data)
@@ -373,14 +384,29 @@ int perf_event__parse_sample(const union perf_event *event, u64 type,
 	}
 
 	if (type & PERF_SAMPLE_CALLCHAIN) {
+		if (sample_overlap(event, array, sizeof(data->callchain->nr)))
+			return -EFAULT;
+
 		data->callchain = (struct ip_callchain *)array;
+
+		if (sample_overlap(event, array, data->callchain->nr))
+			return -EFAULT;
+
 		array += 1 + data->callchain->nr;
 	}
 
 	if (type & PERF_SAMPLE_RAW) {
 		u32 *p = (u32 *)array;
+
+		if (sample_overlap(event, array, sizeof(u32)))
+			return -EFAULT;
+
 		data->raw_size = *p;
 		p++;
+
+		if (sample_overlap(event, p, data->raw_size))
+			return -EFAULT;
+
 		data->raw_data = p;
 	}