[PATCH (?)] vt: fix possible memory corruption in complement_pos
From: André Pereira de Almeida
Date: Wed May 25 2005 - 13:33:31 EST
Hi.
In the file drivers/char/vt.c the function complement_pos (used by
selection: complement pointer position) saves the memory position of
previous pointer position. If, between 2 successive calls of this
function, the memory location of the screen has changed (e.g. the window
has been resized), the old pointer position is invalid, and, if this
memory position has been allocated by another kernel data, this data may
be corrupted since this function will try to restore the previous data.
I don't know if this is the right approach, but this patch will solve
this bug.
--- linux-2.6.12-rc4-mm2.orig/drivers/char/vt.c 2005-05-25
12:04:54.000000000 -0300
+++ linux-2.6.12-rc4-mm2/drivers/char/vt.c 2005-05-25
12:36:20.000000000 -0300
@@ -434,21 +434,21 @@ void invert_screen(struct vc_data *vc, i
/* used by selection: complement pointer position */
void complement_pos(struct vc_data *vc, int offset)
{
- static unsigned short *p;
+ static int old_offset=-1;
static unsigned short old;
static unsigned short oldx, oldy;
WARN_CONSOLE_UNLOCKED();
- if (p) {
- scr_writew(old, p);
+ if (old_offset!=-1) {
+ scr_writew(old, screenpos(vc, old_offset, 1));
if (DO_UPDATE(vc))
vc->vc_sw->con_putc(vc, old, oldy, oldx);
}
- if (offset == -1)
- p = NULL;
- else {
+ old_offset=offset;
+ if (offset != -1) {
unsigned short new;
+ unsigned short *p;
p = screenpos(vc, offset, 1);
old = scr_readw(p);
new = old ^ vc->vc_complement_mask;
--- linux-2.6.12-rc4-mm2.orig/drivers/char/vt.c 2005-05-25 12:04:54.000000000 -0300
+++ linux-2.6.12-rc4-mm2/drivers/char/vt.c 2005-05-25 12:36:20.000000000 -0300
@@ -434,21 +434,21 @@ void invert_screen(struct vc_data *vc, i
/* used by selection: complement pointer position */
void complement_pos(struct vc_data *vc, int offset)
{
- static unsigned short *p;
+ static int old_offset=-1;
static unsigned short old;
static unsigned short oldx, oldy;
WARN_CONSOLE_UNLOCKED();
- if (p) {
- scr_writew(old, p);
+ if (old_offset!=-1) {
+ scr_writew(old, screenpos(vc, old_offset, 1));
if (DO_UPDATE(vc))
vc->vc_sw->con_putc(vc, old, oldy, oldx);
}
- if (offset == -1)
- p = NULL;
- else {
+ old_offset=offset;
+ if (offset != -1) {
unsigned short new;
+ unsigned short *p;
p = screenpos(vc, offset, 1);
old = scr_readw(p);
new = old ^ vc->vc_complement_mask;