summaryrefslogtreecommitdiff
path: root/sys/arch
diff options
context:
space:
mode:
authorTodd C. Miller <millert@cvs.openbsd.org>2002-08-02 16:13:08 +0000
committerTodd C. Miller <millert@cvs.openbsd.org>2002-08-02 16:13:08 +0000
commita725f7b84119cee1a43880f6fbe9ef73c1edc07a (patch)
tree4ed3bcba829808c53ce5e5698482dc8e15668de7 /sys/arch
parentb0e6567fb529f695856bcc0d3526100ee6f1c5a0 (diff)
Do correct bounds checking in get/set/put cmap routines. A few of
these check were already OK but have been modified for consistency. Problem found by Silvio Cesare.
Diffstat (limited to 'sys/arch')
-rw-r--r--sys/arch/amiga/dev/grf_cl.c6
-rw-r--r--sys/arch/amiga/dev/grf_cv.c6
-rw-r--r--sys/arch/amiga/dev/grf_et.c6
-rw-r--r--sys/arch/amiga/dev/grf_rh.c6
-rw-r--r--sys/arch/amiga/dev/grf_rt.c6
-rw-r--r--sys/arch/amiga/dev/grf_ul.c6
-rw-r--r--sys/arch/amiga/dev/view.c7
-rw-r--r--sys/arch/macppc/pci/vgafb.c10
-rw-r--r--sys/arch/sparc/dev/bt_subr.c6
-rw-r--r--sys/arch/sparc/dev/cgfourteen.c14
-rw-r--r--sys/arch/sparc/dev/cgtwo.c6
-rw-r--r--sys/arch/sparc64/dev/vgafb.c12
-rw-r--r--sys/arch/sun3/dev/bt_subr.c6
-rw-r--r--sys/arch/sun3/dev/cg2.c6
-rw-r--r--sys/arch/sun3/dev/cg4.c14
15 files changed, 61 insertions, 56 deletions
diff --git a/sys/arch/amiga/dev/grf_cl.c b/sys/arch/amiga/dev/grf_cl.c
index e26bb3243ef..4742e8e0e2f 100644
--- a/sys/arch/amiga/dev/grf_cl.c
+++ b/sys/arch/amiga/dev/grf_cl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: grf_cl.c,v 1.16 2002/03/14 01:26:28 millert Exp $ */
+/* $OpenBSD: grf_cl.c,v 1.17 2002/08/02 16:13:07 millert Exp $ */
/* $NetBSD: grf_cl.c,v 1.20 1997/07/29 17:46:24 veego Exp $ */
/*
@@ -1147,7 +1147,7 @@ cl_getcmap(gfp, cmap)
if (cmap->count == 0 || cmap->index >= 256)
return 0;
- if (cmap->index + cmap->count > 256)
+ if (cmap->count > 256 - cmap->index)
cmap->count = 256 - cmap->index;
ba = gfp->g_regkva;
@@ -1182,7 +1182,7 @@ cl_putcmap(gfp, cmap)
if (cmap->count == 0 || cmap->index >= 256)
return (0);
- if (cmap->index + cmap->count > 256)
+ if (cmap->count > 256 - cmap->index)
cmap->count = 256 - cmap->index;
/* first copy the colors into kernelspace */
diff --git a/sys/arch/amiga/dev/grf_cv.c b/sys/arch/amiga/dev/grf_cv.c
index 6852437bcc3..3c6e7fce954 100644
--- a/sys/arch/amiga/dev/grf_cv.c
+++ b/sys/arch/amiga/dev/grf_cv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: grf_cv.c,v 1.17 2002/03/14 01:26:28 millert Exp $ */
+/* $OpenBSD: grf_cv.c,v 1.18 2002/08/02 16:13:07 millert Exp $ */
/* $NetBSD: grf_cv.c,v 1.24 1997/07/30 11:05:55 veego Exp $ */
/*
@@ -1078,7 +1078,7 @@ cv_getcmap(gfp, cmap)
if (cmap->count == 0 || cmap->index >= 256)
return (0);
- if (cmap->index + cmap->count > 256)
+ if (cmap->count > 256 - cmap->index)
cmap->count = 256 - cmap->index;
/* first read colors out of the chip, then copyout to userspace */
@@ -1118,7 +1118,7 @@ cv_putcmap(gfp, cmap)
if (cmap->count == 0 || cmap->index >= 256)
return (0);
- if (cmap->index + cmap->count > 256)
+ if (cmap->count > 256 - cmap->index)
cmap->count = 256 - cmap->index;
/* first copy the colors into kernelspace */
diff --git a/sys/arch/amiga/dev/grf_et.c b/sys/arch/amiga/dev/grf_et.c
index 30e1dfd8d60..37273a7dec0 100644
--- a/sys/arch/amiga/dev/grf_et.c
+++ b/sys/arch/amiga/dev/grf_et.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: grf_et.c,v 1.8 2002/03/14 01:26:28 millert Exp $ */
+/* $OpenBSD: grf_et.c,v 1.9 2002/08/02 16:13:07 millert Exp $ */
/* $NetBSD: grf_et.c,v 1.10 1997/07/29 17:46:31 veego Exp $ */
/*
@@ -874,7 +874,7 @@ et_getcmap(gfp, cmap)
if (cmap->count == 0 || cmap->index >= 256)
return 0;
- if (cmap->index + cmap->count > 256)
+ if (cmap->count > 256 - cmap->index)
cmap->count = 256 - cmap->index;
ba = gfp->g_regkva;
@@ -927,7 +927,7 @@ et_putcmap(gfp, cmap)
if (cmap->count == 0 || cmap->index >= 256)
return (0);
- if (cmap->index + cmap->count > 256)
+ if (cmap->count > 256 - cmap->index)
cmap->count = 256 - cmap->index;
/* first copy the colors into kernelspace */
diff --git a/sys/arch/amiga/dev/grf_rh.c b/sys/arch/amiga/dev/grf_rh.c
index a2963a6cb65..5cd849ee79a 100644
--- a/sys/arch/amiga/dev/grf_rh.c
+++ b/sys/arch/amiga/dev/grf_rh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: grf_rh.c,v 1.15 2002/04/29 06:26:50 pvalchev Exp $ */
+/* $OpenBSD: grf_rh.c,v 1.16 2002/08/02 16:13:07 millert Exp $ */
/* $NetBSD: grf_rh.c,v 1.27 1997/07/29 17:52:05 veego Exp $ */
/*
@@ -1836,7 +1836,7 @@ rh_getcmap (gfp, cmap)
if (cmap->count == 0 || cmap->index >= 256)
return 0;
- if (cmap->index + cmap->count > 256)
+ if (cmap->count > 256 - cmap->index)
cmap->count = 256 - cmap->index;
ba = gfp->g_regkva;
@@ -1873,7 +1873,7 @@ rh_putcmap (gfp, cmap)
if (cmap->count == 0 || cmap->index >= 256)
return(0);
- if (cmap->index + cmap->count > 256)
+ if (cmap->count > 256 - cmap->index)
cmap->count = 256 - cmap->index;
/* first copy the colors into kernelspace */
diff --git a/sys/arch/amiga/dev/grf_rt.c b/sys/arch/amiga/dev/grf_rt.c
index 1c6e5907f8e..784d86eecfd 100644
--- a/sys/arch/amiga/dev/grf_rt.c
+++ b/sys/arch/amiga/dev/grf_rt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: grf_rt.c,v 1.13 2002/04/29 06:26:50 pvalchev Exp $ */
+/* $OpenBSD: grf_rt.c,v 1.14 2002/08/02 16:13:07 millert Exp $ */
/* $NetBSD: grf_rt.c,v 1.35 1997/07/29 17:52:09 veego Exp $ */
/*
@@ -1158,7 +1158,7 @@ rt_getcmap (gfp, cmap)
if (cmap->count == 0 || cmap->index >= 256)
return (0);
- if (cmap->index + cmap->count > 256)
+ if (cmap->count > 256 - cmap->index)
cmap->count = 256 - cmap->index;
ba = gfp->g_regkva;
@@ -1196,7 +1196,7 @@ rt_putcmap (gfp, cmap)
if (cmap->count == 0 || cmap->index >= 256)
return 0;
- if (cmap->index + cmap->count > 256)
+ if (cmap->count > 256 - cmap->index)
cmap->count = 256 - cmap->index;
/* first copy the colors into kernelspace */
diff --git a/sys/arch/amiga/dev/grf_ul.c b/sys/arch/amiga/dev/grf_ul.c
index 5cc7dfbe856..b456f377a3d 100644
--- a/sys/arch/amiga/dev/grf_ul.c
+++ b/sys/arch/amiga/dev/grf_ul.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: grf_ul.c,v 1.14 2002/03/14 01:26:29 millert Exp $ */
+/* $OpenBSD: grf_ul.c,v 1.15 2002/08/02 16:13:07 millert Exp $ */
/* $NetBSD: grf_ul.c,v 1.24 1997/07/29 17:50:01 veego Exp $ */
#define UL_DEBUG
@@ -799,7 +799,7 @@ ul_getcmap (gp, cmap, dev)
if (cmap->count == 0 || cmap->index >= mxidx)
return 0;
- if (cmap->index + cmap->count > mxidx)
+ if (cmap->count > mxidx - cmap->index)
cmap->count = mxidx - cmap->index;
/* just copyout from the shadow color map */
@@ -842,7 +842,7 @@ ul_putcmap (gp, cmap, dev)
if (cmap->count == 0 || cmap->index >= mxidx)
return 0;
- if (cmap->index + cmap->count > mxidx)
+ if (cmap->count > mxidx - cmap->index)
cmap->count = mxidx - cmap->index;
/* first copyin to our shadow color map */
diff --git a/sys/arch/amiga/dev/view.c b/sys/arch/amiga/dev/view.c
index c5d2e21c40d..7fe31dcdd32 100644
--- a/sys/arch/amiga/dev/view.c
+++ b/sys/arch/amiga/dev/view.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: view.c,v 1.7 2002/06/11 03:25:43 miod Exp $ */
+/* $OpenBSD: view.c,v 1.8 2002/08/02 16:13:07 millert Exp $ */
/* $NetBSD: view.c,v 1.16 1996/10/13 03:07:35 christos Exp $ */
/*
@@ -348,7 +348,10 @@ view_get_colormap (vu, ucm)
u_long *uep;
/* add one incase of zero, ick. */
- cme = malloc(sizeof (u_long)*(ucm->size + 1), M_IOCTLOPS, M_WAITOK);
+ if (ucm->size >= SIZE_T_MAX / sizeof(u_long))
+ return (EINVAL);
+ cme = malloc(sizeof(u_long) * ((size_t)ucm->size + 1), M_IOCTLOPS,
+ M_WAITOK);
uep = ucm->entry;
error = 0;
diff --git a/sys/arch/macppc/pci/vgafb.c b/sys/arch/macppc/pci/vgafb.c
index 99311e7eb2c..ceddd8dcc43 100644
--- a/sys/arch/macppc/pci/vgafb.c
+++ b/sys/arch/macppc/pci/vgafb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: vgafb.c,v 1.15 2002/07/21 16:31:15 drahn Exp $ */
+/* $OpenBSD: vgafb.c,v 1.16 2002/08/02 16:13:07 millert Exp $ */
/* $NetBSD: vga.c,v 1.3 1996/12/02 22:24:54 cgd Exp $ */
/*
@@ -468,7 +468,7 @@ vgafb_getcmap(vc, cm)
u_int count = cm->count;
int error;
- if (index >= 256 || count > 256 || index + count > 256)
+ if (index >= 256 || count > 256 - index)
return EINVAL;
error = copyout(&vc->vc_cmap_red[index], cm->red, count);
@@ -489,12 +489,12 @@ vgafb_putcmap(vc, cm)
struct vgafb_config *vc;
struct wsdisplay_cmap *cm;
{
- int index = cm->index;
- int count = cm->count;
+ u_int index = cm->index;
+ u_int count = cm->count;
int i;
u_int8_t *r, *g, *b;
- if (index >= 256 || count > 256 || index + count > 256)
+ if (index >= 256 || count > 256 - index)
return EINVAL;
if (!uvm_useracc(cm->red, count, B_READ) ||
!uvm_useracc(cm->green, count, B_READ) ||
diff --git a/sys/arch/sparc/dev/bt_subr.c b/sys/arch/sparc/dev/bt_subr.c
index 9a24467081b..224de260bfa 100644
--- a/sys/arch/sparc/dev/bt_subr.c
+++ b/sys/arch/sparc/dev/bt_subr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bt_subr.c,v 1.6 2001/11/06 19:53:16 miod Exp $ */
+/* $OpenBSD: bt_subr.c,v 1.7 2002/08/02 16:13:07 millert Exp $ */
/* $NetBSD: bt_subr.c,v 1.5 1996/03/14 19:44:32 christos Exp $ */
/*
@@ -77,7 +77,7 @@ bt_getcmap(p, cm, cmsize)
start = p->index;
count = p->count;
- if (start >= cmsize || start + count > cmsize)
+ if (start >= cmsize || count > cmsize - start)
return (EINVAL);
if (!uvm_useracc(p->red, count, B_WRITE) ||
!uvm_useracc(p->green, count, B_WRITE) ||
@@ -105,7 +105,7 @@ bt_putcmap(p, cm, cmsize)
start = p->index;
count = p->count;
- if (start >= cmsize || start + count > cmsize)
+ if (start >= cmsize || count > cmsize - start)
return (EINVAL);
if (!uvm_useracc(p->red, count, B_READ) ||
!uvm_useracc(p->green, count, B_READ) ||
diff --git a/sys/arch/sparc/dev/cgfourteen.c b/sys/arch/sparc/dev/cgfourteen.c
index 9c4c0719a4f..372df567452 100644
--- a/sys/arch/sparc/dev/cgfourteen.c
+++ b/sys/arch/sparc/dev/cgfourteen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cgfourteen.c,v 1.9 2002/03/14 01:26:42 millert Exp $ */
+/* $OpenBSD: cgfourteen.c,v 1.10 2002/08/02 16:13:07 millert Exp $ */
/* $NetBSD: cgfourteen.c,v 1.7 1997/05/24 20:16:08 pk Exp $ */
/*
@@ -748,11 +748,11 @@ cg14_get_cmap(p, cm, cmsize)
start = p->index;
count = p->count;
- if (start >= cmsize || start + count > cmsize)
+ if (start >= cmsize || count > cmsize - start)
#ifdef DEBUG
{
- printf("putcmaperror: start %d cmsize %d count %d\n",
- start,cmsize,count);
+ printf("putcmaperror: start %u cmsize %d count %u\n",
+ start, cmsize, count);
#endif
return (EINVAL);
#ifdef DEBUG
@@ -783,11 +783,11 @@ cg14_put_cmap(p, cm, cmsize)
start = p->index;
count = p->count;
- if (start >= cmsize || start + count > cmsize)
+ if (start >= cmsize || count > cmsize - start)
#ifdef DEBUG
{
- printf("putcmaperror: start %d cmsize %d count %d\n",
- start,cmsize,count);
+ printf("putcmaperror: start %u cmsize %d count %u\n",
+ start, cmsize, count);
#endif
return (EINVAL);
#ifdef DEBUG
diff --git a/sys/arch/sparc/dev/cgtwo.c b/sys/arch/sparc/dev/cgtwo.c
index 4f3b8d44627..2204e78e2db 100644
--- a/sys/arch/sparc/dev/cgtwo.c
+++ b/sys/arch/sparc/dev/cgtwo.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cgtwo.c,v 1.20 2002/03/14 03:15:59 millert Exp $ */
+/* $OpenBSD: cgtwo.c,v 1.21 2002/08/02 16:13:07 millert Exp $ */
/* $NetBSD: cgtwo.c,v 1.22 1997/05/24 20:16:12 pk Exp $ */
/*
@@ -341,7 +341,7 @@ cgtwogetcmap(sc, cmap)
start = cmap->index;
count = cmap->count;
ecount = start + count;
- if (start >= CG2_CMSIZE || ecount > CG2_CMSIZE)
+ if (start >= CG2_CMSIZE || count > CG2_CMSIZE - start)
return (EINVAL);
/* XXX - Wait for retrace? */
@@ -384,7 +384,7 @@ cgtwoputcmap(sc, cmap)
start = cmap->index;
count = cmap->count;
ecount = start + count;
- if (start >= CG2_CMSIZE || ecount > CG2_CMSIZE)
+ if (start >= CG2_CMSIZE || count > CG2_CMSIZE - start)
return (EINVAL);
/* Copy from user space to local arrays. */
diff --git a/sys/arch/sparc64/dev/vgafb.c b/sys/arch/sparc64/dev/vgafb.c
index ced7fbe3f37..30710b36ecc 100644
--- a/sys/arch/sparc64/dev/vgafb.c
+++ b/sys/arch/sparc64/dev/vgafb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: vgafb.c,v 1.24 2002/07/30 17:55:56 jason Exp $ */
+/* $OpenBSD: vgafb.c,v 1.25 2002/08/02 16:13:07 millert Exp $ */
/*
* Copyright (c) 2001 Jason L. Wright (jason@thought.net)
@@ -327,6 +327,9 @@ vgafb_getcmap(sc, cm)
u_int count = cm->count;
int error;
+ if (index >= 256 || count > 256 - index)
+ return (EINVAL);
+
error = copyout(&sc->sc_cmap_red[index], cm->red, count);
if (error)
return (error);
@@ -344,13 +347,12 @@ vgafb_putcmap(sc, cm)
struct vgafb_softc *sc;
struct wsdisplay_cmap *cm;
{
- int index = cm->index;
- int count = cm->count;
+ u_int index = cm->index;
+ u_int count = cm->count;
int i;
u_char *r, *g, *b;
- if (cm->index >= 256 || cm->count > 256 ||
- (cm->index + cm->count) > 256)
+ if (index >= 256 || count > 256 - index)
return (EINVAL);
if (!uvm_useracc(cm->red, cm->count, B_READ) ||
!uvm_useracc(cm->green, cm->count, B_READ) ||
diff --git a/sys/arch/sun3/dev/bt_subr.c b/sys/arch/sun3/dev/bt_subr.c
index d51468ad11e..17022d60069 100644
--- a/sys/arch/sun3/dev/bt_subr.c
+++ b/sys/arch/sun3/dev/bt_subr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bt_subr.c,v 1.2 1997/01/16 04:03:42 kstailey Exp $ */
+/* $OpenBSD: bt_subr.c,v 1.3 2002/08/02 16:13:07 millert Exp $ */
/* $NetBSD: bt_subr.c,v 1.2 1995/04/10 22:12:48 gwr Exp $ */
/*
@@ -74,7 +74,7 @@ bt_getcmap(p, cm, cmsize)
start = p->index;
count = p->count;
- if (start >= cmsize || start + count > cmsize)
+ if (start >= cmsize || count > cmsize - start)
return (EINVAL);
if (!useracc(p->red, count, B_WRITE) ||
!useracc(p->green, count, B_WRITE) ||
@@ -102,7 +102,7 @@ bt_putcmap(p, cm, cmsize)
start = p->index;
count = p->count;
- if (start >= cmsize || start + count > cmsize)
+ if (start >= cmsize || count > cmsize - start)
return (EINVAL);
if (!useracc(p->red, count, B_READ) ||
!useracc(p->green, count, B_READ) ||
diff --git a/sys/arch/sun3/dev/cg2.c b/sys/arch/sun3/dev/cg2.c
index 5422ac1fe7e..59c94827178 100644
--- a/sys/arch/sun3/dev/cg2.c
+++ b/sys/arch/sun3/dev/cg2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cg2.c,v 1.11 2002/03/14 03:16:01 millert Exp $ */
+/* $OpenBSD: cg2.c,v 1.12 2002/08/02 16:13:07 millert Exp $ */
/* $NetBSD: cg2.c,v 1.7 1996/10/13 03:47:26 christos Exp $ */
/*
@@ -315,7 +315,7 @@ cg2getcmap(fb, cmap)
start = cmap->index;
count = cmap->count;
ecount = start + count;
- if (start >= CMSIZE || ecount > CMSIZE)
+ if (start >= CMSIZE || count > CMSIZE - start)
return (EINVAL);
/* XXX - Wait for retrace? */
@@ -358,7 +358,7 @@ cg2putcmap(fb, cmap)
start = cmap->index;
count = cmap->count;
ecount = start + count;
- if (start >= CMSIZE || ecount > CMSIZE)
+ if (start >= CMSIZE || count > CMSIZE - start)
return (EINVAL);
/* Copy from user space to local arrays. */
diff --git a/sys/arch/sun3/dev/cg4.c b/sys/arch/sun3/dev/cg4.c
index da050615dae..3b04679854d 100644
--- a/sys/arch/sun3/dev/cg4.c
+++ b/sys/arch/sun3/dev/cg4.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cg4.c,v 1.11 2002/03/14 01:26:46 millert Exp $ */
+/* $OpenBSD: cg4.c,v 1.12 2002/08/02 16:13:07 millert Exp $ */
/* $NetBSD: cg4.c,v 1.11 1996/10/29 19:54:19 gwr Exp $ */
/*
@@ -403,12 +403,12 @@ cg4getcmap(fb, fbcm)
{
struct cg4_softc *sc = fb->fb_private;
struct soft_cmap *cm = &sc->sc_cmap;
- int error, start, count;
+ u_int start, count;
+ int error;
start = fbcm->index;
count = fbcm->count;
- if ((start < 0) || (start >= CMAP_SIZE) ||
- (count < 0) || (start + count > CMAP_SIZE) )
+ if (start >= CMAP_SIZE || count > CMAP_SIZE - start)
return (EINVAL);
if ((error = copyout(&cm->r[start], fbcm->red, count)) != 0)
@@ -434,12 +434,12 @@ cg4putcmap(fb, fbcm)
{
struct cg4_softc *sc = fb->fb_private;
struct soft_cmap *cm = &sc->sc_cmap;
- int error, start, count;
+ u_int start, count;
+ int error;
start = fbcm->index;
count = fbcm->count;
- if ((start < 0) || (start >= CMAP_SIZE) ||
- (count < 0) || (start + count > CMAP_SIZE) )
+ if (start >= CMAP_SIZE || count > CMAP_SIZE - start)
return (EINVAL);
if ((error = copyin(fbcm->red, &cm->r[start], count)) != 0)