Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-2-0]: src/sys/dev Pull up following revision(s) (requested by mjf...
details: https://anonhg.NetBSD.org/src/rev/79759344af05
branches: netbsd-2-0
changeset: 565058:79759344af05
user: bouyer <bouyer%NetBSD.org@localhost>
date: Sun Aug 12 19:52:27 2007 +0000
description:
Pull up following revision(s) (requested by mjf in ticket #11348):
Pull up following revision(s) (requested by mjf in ticket #11348):
sys/dev/ic/pcdisplay_subr.c: revision 1.33 via patch
sys/dev/ic/vga_raster.c: revision 1.29 via patch
sys/dev/ic/vga.c: revision 1.95 via patch
sys/dev/rasops/rasops.c: revision 1.56 via patch
sys/dev/isa/ega.c: revision 1.23 via patch
Implement bounds checking in some places in display driver code to avoid
the possibility of a local user panic.
Set the 'ri' pointer before use.
diffstat:
sys/dev/ic/pcdisplay_subr.c | 10 +++++++---
sys/dev/ic/vga.c | 8 ++++++--
sys/dev/ic/vga_raster.c | 13 ++++++++++---
sys/dev/isa/ega.c | 8 ++++++--
sys/dev/rasops/rasops.c | 8 ++++++--
5 files changed, 35 insertions(+), 12 deletions(-)
diffs (167 lines):
diff -r 04273df9a9ff -r 79759344af05 sys/dev/ic/pcdisplay_subr.c
--- a/sys/dev/ic/pcdisplay_subr.c Sat Aug 11 14:51:05 2007 +0000
+++ b/sys/dev/ic/pcdisplay_subr.c Sun Aug 12 19:52:27 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: pcdisplay_subr.c,v 1.25.8.1 2004/06/07 09:37:44 tron Exp $ */
+/* $NetBSD: pcdisplay_subr.c,v 1.25.8.2 2007/08/12 19:52:27 bouyer Exp $ */
/*
* Copyright (c) 1995, 1996 Carnegie-Mellon University.
@@ -28,7 +28,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pcdisplay_subr.c,v 1.25.8.1 2004/06/07 09:37:44 tron Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pcdisplay_subr.c,v 1.25.8.2 2007/08/12 19:52:27 bouyer Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -167,10 +167,14 @@
struct pcdisplayscreen *scr = id;
bus_space_tag_t memt = scr->hdl->ph_memt;
bus_space_handle_t memh = scr->hdl->ph_memh;
- int off;
+ size_t off;
off = row * scr->type->ncols + col;
+ /* check for bogus row and column sizes */
+ if (__predict_false(off >= (scr->type->ncols * scr->type->nrows)))
+ return;
+
if (scr->active)
bus_space_write_2(memt, memh, scr->dispoffset + off * 2,
c | (attr << 8));
diff -r 04273df9a9ff -r 79759344af05 sys/dev/ic/vga.c
--- a/sys/dev/ic/vga.c Sat Aug 11 14:51:05 2007 +0000
+++ b/sys/dev/ic/vga.c Sun Aug 12 19:52:27 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: vga.c,v 1.71.4.5 2004/08/22 13:44:54 tron Exp $ */
+/* $NetBSD: vga.c,v 1.71.4.6 2007/08/12 19:52:27 bouyer Exp $ */
/*
* Copyright (c) 1995, 1996 Carnegie-Mellon University.
@@ -28,7 +28,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vga.c,v 1.71.4.5 2004/08/22 13:44:54 tron Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vga.c,v 1.71.4.6 2007/08/12 19:52:27 bouyer Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -1027,6 +1027,10 @@
struct vgascreen *scr = id;
struct vga_config *vc = scr->cfg;
+ if (__predict_false((unsigned int)fg >= sizeof(fgansitopc) ||
+ (unsigned int)bg >= sizeof(bgansitopc)))
+ return (EINVAL);
+
if (vc->hdl.vh_mono) {
if (flags & WSATTR_WSCOLORS)
return (EINVAL);
diff -r 04273df9a9ff -r 79759344af05 sys/dev/ic/vga_raster.c
--- a/sys/dev/ic/vga_raster.c Sat Aug 11 14:51:05 2007 +0000
+++ b/sys/dev/ic/vga_raster.c Sun Aug 12 19:52:27 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: vga_raster.c,v 1.12 2003/07/14 15:47:12 lukem Exp $ */
+/* $NetBSD: vga_raster.c,v 1.12.2.1 2007/08/12 19:52:27 bouyer Exp $ */
/*
* Copyright (c) 2001, 2002 Bang Jun-Young
@@ -55,7 +55,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vga_raster.c,v 1.12 2003/07/14 15:47:12 lukem Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vga_raster.c,v 1.12.2.1 2007/08/12 19:52:27 bouyer Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -1085,12 +1085,15 @@
vga_raster_putchar(void *id, int row, int col, u_int c, long attr)
{
struct vgascreen *scr = id;
- int off;
+ size_t off;
struct vga_raster_font *fs;
u_int tmp_ch;
off = row * scr->type->ncols + col;
+ if (__predict_false(off >= (scr->type->ncols * scr->type->nrows)))
+ return;
+
LIST_FOREACH(fs, &scr->fontset, next) {
if ((scr->encoding == fs->font->encoding) &&
(c >= fs->font->firstchar) &&
@@ -1355,6 +1358,10 @@
struct vgascreen *scr = id;
struct vga_config *vc = scr->cfg;
+ if (__predict_false((unsigned int)fg >= sizeof(fgansitopc) ||
+ (unsigned int)bg >= sizeof(bgansitopc)))
+ return (EINVAL);
+
if (vc->hdl.vh_mono) {
if (flags & WSATTR_WSCOLORS)
return (EINVAL);
diff -r 04273df9a9ff -r 79759344af05 sys/dev/isa/ega.c
--- a/sys/dev/isa/ega.c Sat Aug 11 14:51:05 2007 +0000
+++ b/sys/dev/isa/ega.c Sun Aug 12 19:52:27 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ega.c,v 1.16 2004/03/24 17:26:53 drochner Exp $ */
+/* $NetBSD: ega.c,v 1.16.2.1 2007/08/12 19:52:27 bouyer Exp $ */
/*
* Copyright (c) 1999
@@ -27,7 +27,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ega.c,v 1.16 2004/03/24 17:26:53 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ega.c,v 1.16.2.1 2007/08/12 19:52:27 bouyer Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -849,6 +849,10 @@
struct egascreen *scr = id;
struct ega_config *vc = scr->cfg;
+ if (__predict_false((unsigned int)fg >= sizeof(fgansitopc) ||
+ (unsigned int)bg >= sizeof(bgansitopc)))
+ return (EINVAL);
+
if (vc->hdl.vh_mono) {
if (flags & WSATTR_WSCOLORS)
return (EINVAL);
diff -r 04273df9a9ff -r 79759344af05 sys/dev/rasops/rasops.c
--- a/sys/dev/rasops/rasops.c Sat Aug 11 14:51:05 2007 +0000
+++ b/sys/dev/rasops/rasops.c Sun Aug 12 19:52:27 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: rasops.c,v 1.44 2003/11/08 22:49:28 uwe Exp $ */
+/* $NetBSD: rasops.c,v 1.44.2.1 2007/08/12 19:52:28 bouyer Exp $ */
/*-
* Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rasops.c,v 1.44 2003/11/08 22:49:28 uwe Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rasops.c,v 1.44.2.1 2007/08/12 19:52:28 bouyer Exp $");
#include "opt_rasops.h"
#include "rasops_glue.h"
@@ -389,6 +389,10 @@
{
int swap;
+ if (__predict_false((unsigned int)fg >= sizeof(rasops_isgray) ||
+ (unsigned int)bg >= sizeof(rasops_isgray)))
+ return (EINVAL);
+
#ifdef RASOPS_CLIPPING
fg &= 7;
bg &= 7;
Home |
Main Index |
Thread Index |
Old Index