diff options
| author | Marcus Glocker <mglocker@cvs.openbsd.org> | 2008-07-26 11:42:44 +0000 |
|---|---|---|
| committer | Marcus Glocker <mglocker@cvs.openbsd.org> | 2008-07-26 11:42:44 +0000 |
| commit | 09b94e3defe95d9866698b3e53ec1747470010bd (patch) | |
| tree | 91c49c66da3bafb429df51017a38c27f56bb17b2 /sys/dev/video.c | |
| parent | 9268ba740f9de1e637d7b806ec367169723abe22 (diff) | |
Since we are able to change the device image resolution on the fly in the
meantime, the memory allocation for the read(2) method for video(4)
is not right anymore, and can cause a buffer overflow.
We fix this by queuering the maximum available image size for a device at
attach time. If the image size should exceed our video(4) buffer after a
video format change (which shouldn't happen), uvideo(4) will gracefully
fail.
Also tested by kettenis@
Diffstat (limited to 'sys/dev/video.c')
| -rw-r--r-- | sys/dev/video.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/sys/dev/video.c b/sys/dev/video.c index cfa33d97126..f2be15e1979 100644 --- a/sys/dev/video.c +++ b/sys/dev/video.c @@ -1,4 +1,4 @@ -/* $OpenBSD: video.c,v 1.18 2008/07/23 22:10:21 mglocker Exp $ */ +/* $OpenBSD: video.c,v 1.19 2008/07/26 11:42:43 mglocker Exp $ */ /* * Copyright (c) 2008 Robert Nagy <robert@openbsd.org> * Copyright (c) 2008 Marcus Glocker <mglocker@openbsd.org> @@ -77,6 +77,10 @@ videoattach(struct device *parent, struct device *self, void *aux) if (sc->hw_if->get_bufsize) video_buf_size = (sc->hw_if->get_bufsize)(sc->hw_hdl); + if (video_buf_size == EINVAL) { + printf("video: could not request frame buffer size\n"); + return; + } sc->sc_fbuffer = malloc(video_buf_size, M_DEVBUF, M_NOWAIT); if (sc->sc_fbuffer == NULL) { |