PATCH 2.4.19: drivers/video/sbusfb.c

From: silvio.cesare@hushmail.com
Date: Wed Aug 07 2002 - 00:11:54 EST


integer overflow in index + count, leading to unbounded copies.

patch has not been tested or verified.

--
Silvio

diff -u drivers/video/sbusfb.c.2.4.19 drivers/video/sbusfb.c --- drivers/video/sbusfb.c.2.4.19 Tue Aug 6 21:17:39 2002 +++ drivers/video/sbusfb.c Tue Aug 6 21:21:50 2002 @@ -599,7 +599,8 @@ break; case FBIOGETCMAP_SPARC: { char *rp, *gp, *bp; - int end, count, index; + int count, index; + unsigned int end; struct fbcmap *cmap; if (!fb->loadcmap) @@ -612,7 +613,10 @@ return -EFAULT; if ((index < 0) || (index > 255)) return -EINVAL; - if (index + count > 256) + if ((count < 0) || (count > 256)) + return -EINVAL; + end = index + count; + if (end > 256) count = 256 - index; if (__get_user(rp, &cmap->red) || __get_user(gp, &cmap->green) || @@ -624,7 +628,6 @@ return -EFAULT; if (verify_area (VERIFY_WRITE, bp, count)) return -EFAULT; - end = index + count; for (i = index; i < end; i++){ if (__put_user(fb->color_map CM(i,0), rp) || __put_user(fb->color_map CM(i,1), gp) || @@ -637,7 +640,8 @@ } case FBIOPUTCMAP_SPARC: { /* load color map entries */ char *rp, *gp, *bp; - int end, count, index; + int count, index; + unsigned int end; struct fbcmap *cmap; if (!fb->loadcmap || !fb->color_map) @@ -650,7 +654,10 @@ return -EFAULT; if ((index < 0) || (index > 255)) return -EINVAL; - if (index + count > 256) + if ((count < 0) || (count > 256)) + return -EINVAL; + end = index + count; + if (end > 256) count = 256 - index; if (__get_user(rp, &cmap->red) || __get_user(gp, &cmap->green) || @@ -663,7 +670,6 @@

Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Wed Aug 07 2002 - 22:00:34 EST