diff options
| author | Todd C. Miller <millert@cvs.openbsd.org> | 2002-08-02 16:13:08 +0000 |
|---|---|---|
| committer | Todd C. Miller <millert@cvs.openbsd.org> | 2002-08-02 16:13:08 +0000 |
| commit | a725f7b84119cee1a43880f6fbe9ef73c1edc07a (patch) | |
| tree | 4ed3bcba829808c53ce5e5698482dc8e15668de7 /sys/dev | |
| parent | b0e6567fb529f695856bcc0d3526100ee6f1c5a0 (diff) | |
Do correct bounds checking in get/set/put cmap routines. A few of
these check were already OK but have been modified for consistency.
Problem found by Silvio Cesare.
Diffstat (limited to 'sys/dev')
| -rw-r--r-- | sys/dev/ic/bt463.c | 16 | ||||
| -rw-r--r-- | sys/dev/ic/bt485.c | 14 | ||||
| -rw-r--r-- | sys/dev/ic/ibm561.c | 16 | ||||
| -rw-r--r-- | sys/dev/sbus/cgsix.c | 7 | ||||
| -rw-r--r-- | sys/dev/sbus/cgthree.c | 7 |
5 files changed, 29 insertions, 31 deletions
diff --git a/sys/dev/ic/bt463.c b/sys/dev/ic/bt463.c index b1e55c03064..f9204245cad 100644 --- a/sys/dev/ic/bt463.c +++ b/sys/dev/ic/bt463.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bt463.c,v 1.8 2002/04/01 11:26:32 matthieu Exp $ */ +/* $OpenBSD: bt463.c,v 1.9 2002/08/02 16:13:07 millert Exp $ */ /* $NetBSD: bt463.c,v 1.2 2000/06/13 17:21:06 nathanw Exp $ */ /*- @@ -365,10 +365,11 @@ bt463_set_cmap(rc, cmapp) struct wsdisplay_cmap *cmapp; { struct bt463data *data = (struct bt463data *)rc; - int count, index, s; + u_int count, index; + int s; - if ((u_int)cmapp->index >= BT463_NCMAP_ENTRIES || - ((u_int)cmapp->index + (u_int)cmapp->count) > BT463_NCMAP_ENTRIES) + if (cmapp->index >= BT463_NCMAP_ENTRIES || + cmapp->count > BT463_NCMAP_ENTRIES - cmapp->index) return (EINVAL); if (!uvm_useracc(cmapp->red, cmapp->count, B_READ) || !uvm_useracc(cmapp->green, cmapp->count, B_READ) || @@ -397,10 +398,11 @@ bt463_get_cmap(rc, cmapp) struct wsdisplay_cmap *cmapp; { struct bt463data *data = (struct bt463data *)rc; - int error, count, index; + u_int count, index; + int error; - if ((u_int)cmapp->index >= BT463_NCMAP_ENTRIES || - ((u_int)cmapp->index + (u_int)cmapp->count) > BT463_NCMAP_ENTRIES) + if (cmapp->index >= BT463_NCMAP_ENTRIES || + cmapp->count > BT463_NCMAP_ENTRIES - cmapp->index) return (EINVAL); count = cmapp->count; diff --git a/sys/dev/ic/bt485.c b/sys/dev/ic/bt485.c index 58d22e6e0c0..d27b56aa4e3 100644 --- a/sys/dev/ic/bt485.c +++ b/sys/dev/ic/bt485.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bt485.c,v 1.10 2002/04/01 11:26:32 matthieu Exp $ */ +/* $OpenBSD: bt485.c,v 1.11 2002/08/02 16:13:07 millert Exp $ */ /* $NetBSD: bt485.c,v 1.2 2000/04/02 18:55:01 nathanw Exp $ */ /* @@ -266,7 +266,8 @@ bt485_set_cmap(rc, cmapp) struct wsdisplay_cmap *cmapp; { struct bt485data *data = (struct bt485data *)rc; - int count, index, s; + u_int count, index; + int s; #ifdef DIAGNOSTIC if (rc == NULL) @@ -274,8 +275,7 @@ bt485_set_cmap(rc, cmapp) if (cmapp == NULL) panic("bt485_set_cmap: cmapp"); #endif - if ((u_int)cmapp->index >= 256 || - ((u_int)cmapp->index + (u_int)cmapp->count) > 256) + if (cmapp->index >= 256 || cmapp->count > 256 - cmapp->index) return (EINVAL); if (!uvm_useracc(cmapp->red, cmapp->count, B_READ) || !uvm_useracc(cmapp->green, cmapp->count, B_READ) || @@ -307,10 +307,10 @@ bt485_get_cmap(rc, cmapp) struct wsdisplay_cmap *cmapp; { struct bt485data *data = (struct bt485data *)rc; - int error, count, index; + u_int count, index; + int error; - if ((u_int)cmapp->index >= 256 || - ((u_int)cmapp->index + (u_int)cmapp->count) > 256) + if (cmapp->index >= 256 || cmapp->count > 256 - cmapp->index) return (EINVAL); count = cmapp->count; diff --git a/sys/dev/ic/ibm561.c b/sys/dev/ic/ibm561.c index 78ef0882298..c862d4b343b 100644 --- a/sys/dev/ic/ibm561.c +++ b/sys/dev/ic/ibm561.c @@ -1,5 +1,5 @@ /* $NetBSD: ibm561.c,v 1.1 2001/12/12 07:46:48 elric Exp $ */ -/* $OpenBSD: ibm561.c,v 1.1 2002/04/01 11:26:32 matthieu Exp $ */ +/* $OpenBSD: ibm561.c,v 1.2 2002/08/02 16:13:07 millert Exp $ */ /*- * Copyright (c) 2001 The NetBSD Foundation, Inc. @@ -274,12 +274,11 @@ ibm561_set_cmap(rc, cmapp) struct wsdisplay_cmap *cmapp; { struct ibm561data *data = (struct ibm561data *)rc; - int count; - int index; + u_int count, index; int s; - if ((u_int)cmapp->index >= IBM561_NCMAP_ENTRIES || - ((u_int)cmapp->index + (u_int)cmapp->count) > IBM561_NCMAP_ENTRIES) + if (cmapp->index >= IBM561_NCMAP_ENTRIES || + cmapp->count > IBM561_NCMAP_ENTRIES - cmapp->index) return (EINVAL); if (!uvm_useracc(cmapp->red, cmapp->count, B_READ) || !uvm_useracc(cmapp->green, cmapp->count, B_READ) || @@ -304,12 +303,11 @@ ibm561_get_cmap(rc, cmapp) struct wsdisplay_cmap *cmapp; { struct ibm561data *data = (struct ibm561data *)rc; + u_int count, index; int error; - int count; - int index; - if ((u_int)cmapp->index >= IBM561_NCMAP_ENTRIES || - ((u_int)cmapp->index + (u_int)cmapp->count) > IBM561_NCMAP_ENTRIES) + if (cmapp->index >= IBM561_NCMAP_ENTRIES || + cmapp->count > IBM561_NCMAP_ENTRIES - cmapp->index) return (EINVAL); count = cmapp->count; index = cmapp->index; diff --git a/sys/dev/sbus/cgsix.c b/sys/dev/sbus/cgsix.c index fc9cba7cf8e..20f54ae0766 100644 --- a/sys/dev/sbus/cgsix.c +++ b/sys/dev/sbus/cgsix.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cgsix.c,v 1.26 2002/07/30 23:03:30 jason Exp $ */ +/* $OpenBSD: cgsix.c,v 1.27 2002/08/02 16:13:07 millert Exp $ */ /* * Copyright (c) 2001 Jason L. Wright (jason@thought.net) @@ -506,7 +506,7 @@ cg6_bt_getcmap(bcm, rcm) u_int index = rcm->index, count = rcm->count, i; int error; - if (index >= 256 || index + count > 256) + if (index >= 256 || count > 256 - index) return (EINVAL); for (i = 0; i < count; i++) { if ((error = copyout(&bcm->cm_map[index + i][0], @@ -530,8 +530,7 @@ cg6_bt_putcmap(bcm, rcm) u_int index = rcm->index, count = rcm->count, i; int error; - if (index >= 256 || rcm->count > 256 || - (rcm->index + rcm->count) > 256) + if (index >= 256 || count > 256 - index) return (EINVAL); for (i = 0; i < count; i++) { if ((error = copyin(&rcm->red[i], diff --git a/sys/dev/sbus/cgthree.c b/sys/dev/sbus/cgthree.c index 781bc89ef52..a727217d455 100644 --- a/sys/dev/sbus/cgthree.c +++ b/sys/dev/sbus/cgthree.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cgthree.c,v 1.20 2002/07/30 18:05:58 jason Exp $ */ +/* $OpenBSD: cgthree.c,v 1.21 2002/08/02 16:13:07 millert Exp $ */ /* * Copyright (c) 2001 Jason L. Wright (jason@thought.net) @@ -543,7 +543,7 @@ cg3_bt_getcmap(bcm, rcm) u_int index = rcm->index, count = rcm->count, i; int error; - if (index >= 256 || index + count > 256) + if (index >= 256 || count > 256 - index) return (EINVAL); for (i = 0; i < count; i++) { if ((error = copyout(&bcm->cm_map[index + i][0], @@ -567,8 +567,7 @@ cg3_bt_putcmap(bcm, rcm) u_int index = rcm->index, count = rcm->count, i; int error; - if (index >= 256 || rcm->count > 256 || - (rcm->index + rcm->count) > 256) + if (index >= 256 || count > 256 - index) return (EINVAL); for (i = 0; i < count; i++) { if ((error = copyin(&rcm->red[i], |