diff options
author | Todd C. Miller <millert@cvs.openbsd.org> | 2002-08-02 16:13:08 +0000 |
---|---|---|
committer | Todd C. Miller <millert@cvs.openbsd.org> | 2002-08-02 16:13:08 +0000 |
commit | a725f7b84119cee1a43880f6fbe9ef73c1edc07a (patch) | |
tree | 4ed3bcba829808c53ce5e5698482dc8e15668de7 /sys/arch | |
parent | b0e6567fb529f695856bcc0d3526100ee6f1c5a0 (diff) |
Do correct bounds checking in get/set/put cmap routines. A few of
these check were already OK but have been modified for consistency.
Problem found by Silvio Cesare.
Diffstat (limited to 'sys/arch')
-rw-r--r-- | sys/arch/amiga/dev/grf_cl.c | 6 | ||||
-rw-r--r-- | sys/arch/amiga/dev/grf_cv.c | 6 | ||||
-rw-r--r-- | sys/arch/amiga/dev/grf_et.c | 6 | ||||
-rw-r--r-- | sys/arch/amiga/dev/grf_rh.c | 6 | ||||
-rw-r--r-- | sys/arch/amiga/dev/grf_rt.c | 6 | ||||
-rw-r--r-- | sys/arch/amiga/dev/grf_ul.c | 6 | ||||
-rw-r--r-- | sys/arch/amiga/dev/view.c | 7 | ||||
-rw-r--r-- | sys/arch/macppc/pci/vgafb.c | 10 | ||||
-rw-r--r-- | sys/arch/sparc/dev/bt_subr.c | 6 | ||||
-rw-r--r-- | sys/arch/sparc/dev/cgfourteen.c | 14 | ||||
-rw-r--r-- | sys/arch/sparc/dev/cgtwo.c | 6 | ||||
-rw-r--r-- | sys/arch/sparc64/dev/vgafb.c | 12 | ||||
-rw-r--r-- | sys/arch/sun3/dev/bt_subr.c | 6 | ||||
-rw-r--r-- | sys/arch/sun3/dev/cg2.c | 6 | ||||
-rw-r--r-- | sys/arch/sun3/dev/cg4.c | 14 |
15 files changed, 61 insertions, 56 deletions
diff --git a/sys/arch/amiga/dev/grf_cl.c b/sys/arch/amiga/dev/grf_cl.c index e26bb3243ef..4742e8e0e2f 100644 --- a/sys/arch/amiga/dev/grf_cl.c +++ b/sys/arch/amiga/dev/grf_cl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: grf_cl.c,v 1.16 2002/03/14 01:26:28 millert Exp $ */ +/* $OpenBSD: grf_cl.c,v 1.17 2002/08/02 16:13:07 millert Exp $ */ /* $NetBSD: grf_cl.c,v 1.20 1997/07/29 17:46:24 veego Exp $ */ /* @@ -1147,7 +1147,7 @@ cl_getcmap(gfp, cmap) if (cmap->count == 0 || cmap->index >= 256) return 0; - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; ba = gfp->g_regkva; @@ -1182,7 +1182,7 @@ cl_putcmap(gfp, cmap) if (cmap->count == 0 || cmap->index >= 256) return (0); - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; /* first copy the colors into kernelspace */ diff --git a/sys/arch/amiga/dev/grf_cv.c b/sys/arch/amiga/dev/grf_cv.c index 6852437bcc3..3c6e7fce954 100644 --- a/sys/arch/amiga/dev/grf_cv.c +++ b/sys/arch/amiga/dev/grf_cv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: grf_cv.c,v 1.17 2002/03/14 01:26:28 millert Exp $ */ +/* $OpenBSD: grf_cv.c,v 1.18 2002/08/02 16:13:07 millert Exp $ */ /* $NetBSD: grf_cv.c,v 1.24 1997/07/30 11:05:55 veego Exp $ */ /* @@ -1078,7 +1078,7 @@ cv_getcmap(gfp, cmap) if (cmap->count == 0 || cmap->index >= 256) return (0); - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; /* first read colors out of the chip, then copyout to userspace */ @@ -1118,7 +1118,7 @@ cv_putcmap(gfp, cmap) if (cmap->count == 0 || cmap->index >= 256) return (0); - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; /* first copy the colors into kernelspace */ diff --git a/sys/arch/amiga/dev/grf_et.c b/sys/arch/amiga/dev/grf_et.c index 30e1dfd8d60..37273a7dec0 100644 --- a/sys/arch/amiga/dev/grf_et.c +++ b/sys/arch/amiga/dev/grf_et.c @@ -1,4 +1,4 @@ -/* $OpenBSD: grf_et.c,v 1.8 2002/03/14 01:26:28 millert Exp $ */ +/* $OpenBSD: grf_et.c,v 1.9 2002/08/02 16:13:07 millert Exp $ */ /* $NetBSD: grf_et.c,v 1.10 1997/07/29 17:46:31 veego Exp $ */ /* @@ -874,7 +874,7 @@ et_getcmap(gfp, cmap) if (cmap->count == 0 || cmap->index >= 256) return 0; - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; ba = gfp->g_regkva; @@ -927,7 +927,7 @@ et_putcmap(gfp, cmap) if (cmap->count == 0 || cmap->index >= 256) return (0); - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; /* first copy the colors into kernelspace */ diff --git a/sys/arch/amiga/dev/grf_rh.c b/sys/arch/amiga/dev/grf_rh.c index a2963a6cb65..5cd849ee79a 100644 --- a/sys/arch/amiga/dev/grf_rh.c +++ b/sys/arch/amiga/dev/grf_rh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: grf_rh.c,v 1.15 2002/04/29 06:26:50 pvalchev Exp $ */ +/* $OpenBSD: grf_rh.c,v 1.16 2002/08/02 16:13:07 millert Exp $ */ /* $NetBSD: grf_rh.c,v 1.27 1997/07/29 17:52:05 veego Exp $ */ /* @@ -1836,7 +1836,7 @@ rh_getcmap (gfp, cmap) if (cmap->count == 0 || cmap->index >= 256) return 0; - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; ba = gfp->g_regkva; @@ -1873,7 +1873,7 @@ rh_putcmap (gfp, cmap) if (cmap->count == 0 || cmap->index >= 256) return(0); - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; /* first copy the colors into kernelspace */ diff --git a/sys/arch/amiga/dev/grf_rt.c b/sys/arch/amiga/dev/grf_rt.c index 1c6e5907f8e..784d86eecfd 100644 --- a/sys/arch/amiga/dev/grf_rt.c +++ b/sys/arch/amiga/dev/grf_rt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: grf_rt.c,v 1.13 2002/04/29 06:26:50 pvalchev Exp $ */ +/* $OpenBSD: grf_rt.c,v 1.14 2002/08/02 16:13:07 millert Exp $ */ /* $NetBSD: grf_rt.c,v 1.35 1997/07/29 17:52:09 veego Exp $ */ /* @@ -1158,7 +1158,7 @@ rt_getcmap (gfp, cmap) if (cmap->count == 0 || cmap->index >= 256) return (0); - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; ba = gfp->g_regkva; @@ -1196,7 +1196,7 @@ rt_putcmap (gfp, cmap) if (cmap->count == 0 || cmap->index >= 256) return 0; - if (cmap->index + cmap->count > 256) + if (cmap->count > 256 - cmap->index) cmap->count = 256 - cmap->index; /* first copy the colors into kernelspace */ diff --git a/sys/arch/amiga/dev/grf_ul.c b/sys/arch/amiga/dev/grf_ul.c index 5cc7dfbe856..b456f377a3d 100644 --- a/sys/arch/amiga/dev/grf_ul.c +++ b/sys/arch/amiga/dev/grf_ul.c @@ -1,4 +1,4 @@ -/* $OpenBSD: grf_ul.c,v 1.14 2002/03/14 01:26:29 millert Exp $ */ +/* $OpenBSD: grf_ul.c,v 1.15 2002/08/02 16:13:07 millert Exp $ */ /* $NetBSD: grf_ul.c,v 1.24 1997/07/29 17:50:01 veego Exp $ */ #define UL_DEBUG @@ -799,7 +799,7 @@ ul_getcmap (gp, cmap, dev) if (cmap->count == 0 || cmap->index >= mxidx) return 0; - if (cmap->index + cmap->count > mxidx) + if (cmap->count > mxidx - cmap->index) cmap->count = mxidx - cmap->index; /* just copyout from the shadow color map */ @@ -842,7 +842,7 @@ ul_putcmap (gp, cmap, dev) if (cmap->count == 0 || cmap->index >= mxidx) return 0; - if (cmap->index + cmap->count > mxidx) + if (cmap->count > mxidx - cmap->index) cmap->count = mxidx - cmap->index; /* first copyin to our shadow color map */ diff --git a/sys/arch/amiga/dev/view.c b/sys/arch/amiga/dev/view.c index c5d2e21c40d..7fe31dcdd32 100644 --- a/sys/arch/amiga/dev/view.c +++ b/sys/arch/amiga/dev/view.c @@ -1,4 +1,4 @@ -/* $OpenBSD: view.c,v 1.7 2002/06/11 03:25:43 miod Exp $ */ +/* $OpenBSD: view.c,v 1.8 2002/08/02 16:13:07 millert Exp $ */ /* $NetBSD: view.c,v 1.16 1996/10/13 03:07:35 christos Exp $ */ /* @@ -348,7 +348,10 @@ view_get_colormap (vu, ucm) u_long *uep; /* add one incase of zero, ick. */ - cme = malloc(sizeof (u_long)*(ucm->size + 1), M_IOCTLOPS, M_WAITOK); + if (ucm->size >= SIZE_T_MAX / sizeof(u_long)) + return (EINVAL); + cme = malloc(sizeof(u_long) * ((size_t)ucm->size + 1), M_IOCTLOPS, + M_WAITOK); uep = ucm->entry; error = 0; diff --git a/sys/arch/macppc/pci/vgafb.c b/sys/arch/macppc/pci/vgafb.c index 99311e7eb2c..ceddd8dcc43 100644 --- a/sys/arch/macppc/pci/vgafb.c +++ b/sys/arch/macppc/pci/vgafb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vgafb.c,v 1.15 2002/07/21 16:31:15 drahn Exp $ */ +/* $OpenBSD: vgafb.c,v 1.16 2002/08/02 16:13:07 millert Exp $ */ /* $NetBSD: vga.c,v 1.3 1996/12/02 22:24:54 cgd Exp $ */ /* @@ -468,7 +468,7 @@ vgafb_getcmap(vc, cm) u_int count = cm->count; int error; - if (index >= 256 || count > 256 || index + count > 256) + if (index >= 256 || count > 256 - index) return EINVAL; error = copyout(&vc->vc_cmap_red[index], cm->red, count); @@ -489,12 +489,12 @@ vgafb_putcmap(vc, cm) struct vgafb_config *vc; struct wsdisplay_cmap *cm; { - int index = cm->index; - int count = cm->count; + u_int index = cm->index; + u_int count = cm->count; int i; u_int8_t *r, *g, *b; - if (index >= 256 || count > 256 || index + count > 256) + if (index >= 256 || count > 256 - index) return EINVAL; if (!uvm_useracc(cm->red, count, B_READ) || !uvm_useracc(cm->green, count, B_READ) || diff --git a/sys/arch/sparc/dev/bt_subr.c b/sys/arch/sparc/dev/bt_subr.c index 9a24467081b..224de260bfa 100644 --- a/sys/arch/sparc/dev/bt_subr.c +++ b/sys/arch/sparc/dev/bt_subr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bt_subr.c,v 1.6 2001/11/06 19:53:16 miod Exp $ */ +/* $OpenBSD: bt_subr.c,v 1.7 2002/08/02 16:13:07 millert Exp $ */ /* $NetBSD: bt_subr.c,v 1.5 1996/03/14 19:44:32 christos Exp $ */ /* @@ -77,7 +77,7 @@ bt_getcmap(p, cm, cmsize) start = p->index; count = p->count; - if (start >= cmsize || start + count > cmsize) + if (start >= cmsize || count > cmsize - start) return (EINVAL); if (!uvm_useracc(p->red, count, B_WRITE) || !uvm_useracc(p->green, count, B_WRITE) || @@ -105,7 +105,7 @@ bt_putcmap(p, cm, cmsize) start = p->index; count = p->count; - if (start >= cmsize || start + count > cmsize) + if (start >= cmsize || count > cmsize - start) return (EINVAL); if (!uvm_useracc(p->red, count, B_READ) || !uvm_useracc(p->green, count, B_READ) || diff --git a/sys/arch/sparc/dev/cgfourteen.c b/sys/arch/sparc/dev/cgfourteen.c index 9c4c0719a4f..372df567452 100644 --- a/sys/arch/sparc/dev/cgfourteen.c +++ b/sys/arch/sparc/dev/cgfourteen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cgfourteen.c,v 1.9 2002/03/14 01:26:42 millert Exp $ */ +/* $OpenBSD: cgfourteen.c,v 1.10 2002/08/02 16:13:07 millert Exp $ */ /* $NetBSD: cgfourteen.c,v 1.7 1997/05/24 20:16:08 pk Exp $ */ /* @@ -748,11 +748,11 @@ cg14_get_cmap(p, cm, cmsize) start = p->index; count = p->count; - if (start >= cmsize || start + count > cmsize) + if (start >= cmsize || count > cmsize - start) #ifdef DEBUG { - printf("putcmaperror: start %d cmsize %d count %d\n", - start,cmsize,count); + printf("putcmaperror: start %u cmsize %d count %u\n", + start, cmsize, count); #endif return (EINVAL); #ifdef DEBUG @@ -783,11 +783,11 @@ cg14_put_cmap(p, cm, cmsize) start = p->index; count = p->count; - if (start >= cmsize || start + count > cmsize) + if (start >= cmsize || count > cmsize - start) #ifdef DEBUG { - printf("putcmaperror: start %d cmsize %d count %d\n", - start,cmsize,count); + printf("putcmaperror: start %u cmsize %d count %u\n", + start, cmsize, count); #endif return (EINVAL); #ifdef DEBUG diff --git a/sys/arch/sparc/dev/cgtwo.c b/sys/arch/sparc/dev/cgtwo.c index 4f3b8d44627..2204e78e2db 100644 --- a/sys/arch/sparc/dev/cgtwo.c +++ b/sys/arch/sparc/dev/cgtwo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cgtwo.c,v 1.20 2002/03/14 03:15:59 millert Exp $ */ +/* $OpenBSD: cgtwo.c,v 1.21 2002/08/02 16:13:07 millert Exp $ */ /* $NetBSD: cgtwo.c,v 1.22 1997/05/24 20:16:12 pk Exp $ */ /* @@ -341,7 +341,7 @@ cgtwogetcmap(sc, cmap) start = cmap->index; count = cmap->count; ecount = start + count; - if (start >= CG2_CMSIZE || ecount > CG2_CMSIZE) + if (start >= CG2_CMSIZE || count > CG2_CMSIZE - start) return (EINVAL); /* XXX - Wait for retrace? */ @@ -384,7 +384,7 @@ cgtwoputcmap(sc, cmap) start = cmap->index; count = cmap->count; ecount = start + count; - if (start >= CG2_CMSIZE || ecount > CG2_CMSIZE) + if (start >= CG2_CMSIZE || count > CG2_CMSIZE - start) return (EINVAL); /* Copy from user space to local arrays. */ diff --git a/sys/arch/sparc64/dev/vgafb.c b/sys/arch/sparc64/dev/vgafb.c index ced7fbe3f37..30710b36ecc 100644 --- a/sys/arch/sparc64/dev/vgafb.c +++ b/sys/arch/sparc64/dev/vgafb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vgafb.c,v 1.24 2002/07/30 17:55:56 jason Exp $ */ +/* $OpenBSD: vgafb.c,v 1.25 2002/08/02 16:13:07 millert Exp $ */ /* * Copyright (c) 2001 Jason L. Wright (jason@thought.net) @@ -327,6 +327,9 @@ vgafb_getcmap(sc, cm) u_int count = cm->count; int error; + if (index >= 256 || count > 256 - index) + return (EINVAL); + error = copyout(&sc->sc_cmap_red[index], cm->red, count); if (error) return (error); @@ -344,13 +347,12 @@ vgafb_putcmap(sc, cm) struct vgafb_softc *sc; struct wsdisplay_cmap *cm; { - int index = cm->index; - int count = cm->count; + u_int index = cm->index; + u_int count = cm->count; int i; u_char *r, *g, *b; - if (cm->index >= 256 || cm->count > 256 || - (cm->index + cm->count) > 256) + if (index >= 256 || count > 256 - index) return (EINVAL); if (!uvm_useracc(cm->red, cm->count, B_READ) || !uvm_useracc(cm->green, cm->count, B_READ) || diff --git a/sys/arch/sun3/dev/bt_subr.c b/sys/arch/sun3/dev/bt_subr.c index d51468ad11e..17022d60069 100644 --- a/sys/arch/sun3/dev/bt_subr.c +++ b/sys/arch/sun3/dev/bt_subr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bt_subr.c,v 1.2 1997/01/16 04:03:42 kstailey Exp $ */ +/* $OpenBSD: bt_subr.c,v 1.3 2002/08/02 16:13:07 millert Exp $ */ /* $NetBSD: bt_subr.c,v 1.2 1995/04/10 22:12:48 gwr Exp $ */ /* @@ -74,7 +74,7 @@ bt_getcmap(p, cm, cmsize) start = p->index; count = p->count; - if (start >= cmsize || start + count > cmsize) + if (start >= cmsize || count > cmsize - start) return (EINVAL); if (!useracc(p->red, count, B_WRITE) || !useracc(p->green, count, B_WRITE) || @@ -102,7 +102,7 @@ bt_putcmap(p, cm, cmsize) start = p->index; count = p->count; - if (start >= cmsize || start + count > cmsize) + if (start >= cmsize || count > cmsize - start) return (EINVAL); if (!useracc(p->red, count, B_READ) || !useracc(p->green, count, B_READ) || diff --git a/sys/arch/sun3/dev/cg2.c b/sys/arch/sun3/dev/cg2.c index 5422ac1fe7e..59c94827178 100644 --- a/sys/arch/sun3/dev/cg2.c +++ b/sys/arch/sun3/dev/cg2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cg2.c,v 1.11 2002/03/14 03:16:01 millert Exp $ */ +/* $OpenBSD: cg2.c,v 1.12 2002/08/02 16:13:07 millert Exp $ */ /* $NetBSD: cg2.c,v 1.7 1996/10/13 03:47:26 christos Exp $ */ /* @@ -315,7 +315,7 @@ cg2getcmap(fb, cmap) start = cmap->index; count = cmap->count; ecount = start + count; - if (start >= CMSIZE || ecount > CMSIZE) + if (start >= CMSIZE || count > CMSIZE - start) return (EINVAL); /* XXX - Wait for retrace? */ @@ -358,7 +358,7 @@ cg2putcmap(fb, cmap) start = cmap->index; count = cmap->count; ecount = start + count; - if (start >= CMSIZE || ecount > CMSIZE) + if (start >= CMSIZE || count > CMSIZE - start) return (EINVAL); /* Copy from user space to local arrays. */ diff --git a/sys/arch/sun3/dev/cg4.c b/sys/arch/sun3/dev/cg4.c index da050615dae..3b04679854d 100644 --- a/sys/arch/sun3/dev/cg4.c +++ b/sys/arch/sun3/dev/cg4.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cg4.c,v 1.11 2002/03/14 01:26:46 millert Exp $ */ +/* $OpenBSD: cg4.c,v 1.12 2002/08/02 16:13:07 millert Exp $ */ /* $NetBSD: cg4.c,v 1.11 1996/10/29 19:54:19 gwr Exp $ */ /* @@ -403,12 +403,12 @@ cg4getcmap(fb, fbcm) { struct cg4_softc *sc = fb->fb_private; struct soft_cmap *cm = &sc->sc_cmap; - int error, start, count; + u_int start, count; + int error; start = fbcm->index; count = fbcm->count; - if ((start < 0) || (start >= CMAP_SIZE) || - (count < 0) || (start + count > CMAP_SIZE) ) + if (start >= CMAP_SIZE || count > CMAP_SIZE - start) return (EINVAL); if ((error = copyout(&cm->r[start], fbcm->red, count)) != 0) @@ -434,12 +434,12 @@ cg4putcmap(fb, fbcm) { struct cg4_softc *sc = fb->fb_private; struct soft_cmap *cm = &sc->sc_cmap; - int error, start, count; + u_int start, count; + int error; start = fbcm->index; count = fbcm->count; - if ((start < 0) || (start >= CMAP_SIZE) || - (count < 0) || (start + count > CMAP_SIZE) ) + if (start >= CMAP_SIZE || count > CMAP_SIZE - start) return (EINVAL); if ((error = copyin(fbcm->red, &cm->r[start], count)) != 0) |