summaryrefslogtreecommitdiff
path: root/sys/dev/wscons/wsdisplay.c
diff options
context:
space:
mode:
authorMark Kettenis <kettenis@cvs.openbsd.org>2017-07-18 21:27:51 +0000
committerMark Kettenis <kettenis@cvs.openbsd.org>2017-07-18 21:27:51 +0000
commitf00db77686555eca3f3193436de5a892a45feeca (patch)
tree6d9cc7953416980ea073d2823412a5ad8b637944 /sys/dev/wscons/wsdisplay.c
parent492f7f08c88bd0d690c61cea0f018c18f5da899f (diff)
Prevent integer overflow in WSDISPLAYIO_LDFONT ioctl.
Issue found by Ilja van Sprundel. ok deraadt@
Diffstat (limited to 'sys/dev/wscons/wsdisplay.c')
-rw-r--r--sys/dev/wscons/wsdisplay.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/sys/dev/wscons/wsdisplay.c b/sys/dev/wscons/wsdisplay.c
index cb7bde50593..90c8f4680e1 100644
--- a/sys/dev/wscons/wsdisplay.c
+++ b/sys/dev/wscons/wsdisplay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: wsdisplay.c,v 1.126 2017/01/11 08:21:33 fcambus Exp $ */
+/* $OpenBSD: wsdisplay.c,v 1.127 2017/07/18 21:27:50 kettenis Exp $ */
/* $NetBSD: wsdisplay.c,v 1.82 2005/02/27 00:27:52 perry Exp $ */
/*
@@ -1305,6 +1305,10 @@ wsdisplay_cfg_ioctl(struct wsdisplay_softc *sc, u_long cmd, caddr_t data,
#define d ((struct wsdisplay_font *)data)
if (!sc->sc_accessops->load_font)
return (EINVAL);
+ if (d->fontheight > 64 || d->stride > 8) /* 64x64 pixels */
+ return (EINVAL);
+ if (d->numchars > 65536) /* unicode plane */
+ return (EINVAL);
fontsz = d->fontheight * d->stride * d->numchars;
if (fontsz > WSDISPLAY_MAXFONTSZ)
return (EINVAL);
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-29 22:01:42 +0000