diff --git a/sys/dev/ic/pcdisplay_subr.c b/sys/dev/ic/pcdisplay_subr.c index 48b3d0833627..21db8e5f4e8c 100644 --- a/sys/dev/ic/pcdisplay_subr.c +++ b/sys/dev/ic/pcdisplay_subr.c @@ -1,4 +1,4 @@ -/* $NetBSD: pcdisplay_subr.c,v 1.32 2006/04/15 17:48:23 jmmv Exp $ */ +/* $NetBSD: pcdisplay_subr.c,v 1.33 2007/07/28 20:28:56 mjf Exp $ */ /* * Copyright (c) 1995, 1996 Carnegie-Mellon University. @@ -28,7 +28,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: pcdisplay_subr.c,v 1.32 2006/04/15 17:48:23 jmmv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: pcdisplay_subr.c,v 1.33 2007/07/28 20:28:56 mjf Exp $"); #include "opt_wsmsgattrs.h" /* for WSDISPLAY_CUSTOM_OUTPUT */ @@ -157,10 +157,14 @@ pcdisplay_putchar(void *id, int row, int col, unsigned int c, long attr) struct pcdisplayscreen *scr = id; bus_space_tag_t memt = scr->hdl->ph_memt; bus_space_handle_t memh = scr->hdl->ph_memh; - int off; + size_t off; off = row * scr->type->ncols + col; + /* check for bogus row and column sizes */ + if (__predict_false(off >= (scr->type->ncols * scr->type->nrows))) + return; + if (scr->active) bus_space_write_2(memt, memh, scr->dispoffset + off * 2, c | (attr << 8)); @@ -293,7 +297,7 @@ pcdisplay_replaceattr(void *id, long oldattr, long newattr) int pcdisplay_getwschar(struct pcdisplayscreen *scr, struct wsdisplay_char *wschar) { - int off; + size_t off; uint16_t chardata; uint8_t attrbyte; @@ -323,7 +327,7 @@ pcdisplay_getwschar(struct pcdisplayscreen *scr, struct wsdisplay_char *wschar) int pcdisplay_putwschar(struct pcdisplayscreen *scr, struct wsdisplay_char *wschar) { - int off; + size_t off; uint16_t chardata; uint8_t attrbyte; diff --git a/sys/dev/ic/vga.c b/sys/dev/ic/vga.c index 89bb4479a08d..73d608c24bb5 100644 --- a/sys/dev/ic/vga.c +++ b/sys/dev/ic/vga.c @@ -1,4 +1,4 @@ -/* $NetBSD: vga.c,v 1.94 2007/07/19 22:24:06 dsl Exp $ */ +/* $NetBSD: vga.c,v 1.95 2007/07/28 20:28:56 mjf Exp $ */ /* * Copyright (c) 1995, 1996 Carnegie-Mellon University. @@ -28,7 +28,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vga.c,v 1.94 2007/07/19 22:24:06 dsl Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vga.c,v 1.95 2007/07/28 20:28:56 mjf Exp $"); /* for WSCONS_SUPPORT_PCVTFONTS */ #include "opt_wsdisplay_compat.h" @@ -1104,6 +1104,10 @@ vga_allocattr(void *id, int fg, int bg, int flags, long *attrp) struct vgascreen *scr = id; struct vga_config *vc = scr->cfg; + if (__predict_false((unsigned int)fg >= sizeof(fgansitopc) || + (unsigned int)bg >= sizeof(bgansitopc))) + return (EINVAL); + if (vc->hdl.vh_mono) { if (flags & WSATTR_WSCOLORS) return (EINVAL); diff --git a/sys/dev/ic/vga_raster.c b/sys/dev/ic/vga_raster.c index fd94672389bd..c30560051dc9 100644 --- a/sys/dev/ic/vga_raster.c +++ b/sys/dev/ic/vga_raster.c @@ -1,4 +1,4 @@ -/* $NetBSD: vga_raster.c,v 1.28 2007/07/09 21:00:40 ad Exp $ */ +/* $NetBSD: vga_raster.c,v 1.29 2007/07/28 20:28:57 mjf Exp $ */ /* * Copyright (c) 2001, 2002 Bang Jun-Young @@ -56,7 +56,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vga_raster.c,v 1.28 2007/07/09 21:00:40 ad Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vga_raster.c,v 1.29 2007/07/28 20:28:57 mjf Exp $"); #include "opt_wsmsgattrs.h" /* for WSDISPLAY_CUSTOM_OUTPUT */ @@ -1118,12 +1118,15 @@ void vga_raster_putchar(void *id, int row, int col, u_int c, long attr) { struct vgascreen *scr = id; - int off; + size_t off; struct vga_raster_font *fs; u_int tmp_ch; off = row * scr->type->ncols + col; + if (__predict_false(off >= (scr->type->ncols * scr->type->nrows))) + return; + LIST_FOREACH(fs, &scr->fontset, next) { if ((scr->encoding == fs->font->encoding) && (c >= fs->font->firstchar) && @@ -1394,6 +1397,10 @@ vga_raster_allocattr(void *id, int fg, int bg, int flags, long *attrp) struct vgascreen *scr = id; struct vga_config *vc = scr->cfg; + if (__predict_false((unsigned int)fg >= sizeof(fgansitopc) || + (unsigned int)bg >= sizeof(bgansitopc))) + return (EINVAL); + if (vc->hdl.vh_mono) { if (flags & WSATTR_WSCOLORS) return (EINVAL); diff --git a/sys/dev/isa/ega.c b/sys/dev/isa/ega.c index 3c076cb3fad0..5f96b2674482 100644 --- a/sys/dev/isa/ega.c +++ b/sys/dev/isa/ega.c @@ -1,4 +1,4 @@ -/* $NetBSD: ega.c,v 1.22 2007/07/09 21:00:49 ad Exp $ */ +/* $NetBSD: ega.c,v 1.23 2007/07/28 20:28:57 mjf Exp $ */ /* * Copyright (c) 1999 @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ega.c,v 1.22 2007/07/09 21:00:49 ad Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ega.c,v 1.23 2007/07/28 20:28:57 mjf Exp $"); #include #include @@ -851,6 +851,10 @@ ega_allocattr(id, fg, bg, flags, attrp) struct egascreen *scr = id; struct ega_config *vc = scr->cfg; + if (__predict_false((unsigned int)fg >= sizeof(fgansitopc) || + (unsigned int)bg >= sizeof(bgansitopc))) + return (EINVAL); + if (vc->hdl.vh_mono) { if (flags & WSATTR_WSCOLORS) return (EINVAL); diff --git a/sys/dev/pci/chipsfb.c b/sys/dev/pci/chipsfb.c index e3dbb3ce9b24..c7a98c840674 100644 --- a/sys/dev/pci/chipsfb.c +++ b/sys/dev/pci/chipsfb.c @@ -1,4 +1,4 @@ -/* $NetBSD: chipsfb.c,v 1.9 2007/03/04 06:02:17 christos Exp $ */ +/* $NetBSD: chipsfb.c,v 1.10 2007/07/28 20:28:57 mjf Exp $ */ /* * Copyright (c) 2006 Michael Lorenz @@ -33,7 +33,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: chipsfb.c,v 1.9 2007/03/04 06:02:17 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: chipsfb.c,v 1.10 2007/07/28 20:28:57 mjf Exp $"); #include #include @@ -685,6 +685,10 @@ chipsfb_putchar(void *cookie, int row, int col, u_int c, long attr) struct vcons_screen *scr = ri->ri_hw; struct chipsfb_softc *sc = scr->scr_cookie; + if (__predict_false((unsigned int)row > ri->ri_rows || + (unsigned int)col > ri->ri_cols)) + return; + if (sc->sc_mode == WSDISPLAYIO_MODE_EMUL) { uint8_t *data; int fg, bg, uc; diff --git a/sys/dev/rasops/rasops.c b/sys/dev/rasops/rasops.c index 10d485790031..5008b4beb37b 100644 --- a/sys/dev/rasops/rasops.c +++ b/sys/dev/rasops/rasops.c @@ -1,4 +1,4 @@ -/* $NetBSD: rasops.c,v 1.55 2007/02/02 02:10:24 ober Exp $ */ +/* $NetBSD: rasops.c,v 1.56 2007/07/28 20:28:57 mjf Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: rasops.c,v 1.55 2007/02/02 02:10:24 ober Exp $"); +__KERNEL_RCSID(0, "$NetBSD: rasops.c,v 1.56 2007/07/28 20:28:57 mjf Exp $"); #include "opt_rasops.h" #include "rasops_glue.h" @@ -437,6 +437,10 @@ rasops_allocattr_color(void *cookie, int fg, int bg, int flg, { int swap; + if (__predict_false((unsigned int)fg >= sizeof(rasops_isgray) || + (unsigned int)bg >= sizeof(rasops_isgray))) + return (EINVAL); + #ifdef RASOPS_CLIPPING fg &= 7; bg &= 7; @@ -1257,6 +1261,14 @@ rasops_putchar_rotated(cookie, row, col, uc, attr) ri = (struct rasops_info *)cookie; + if (__predict_false((unsigned int)row > ri->ri_rows || + (unsigned int)col > ri->ri_cols)) + return; + + /* Avoid underflow */ + if ((ri->ri_rows - row - 1) < 0) + return; + /* Do rotated char sans (side)underline */ ri->ri_real_ops.putchar(cookie, col, ri->ri_rows - row - 1, uc, attr & ~1); diff --git a/sys/dev/wscons/wsdisplay_vcons.c b/sys/dev/wscons/wsdisplay_vcons.c index 5c1ff2368262..bc201b9791d7 100644 --- a/sys/dev/wscons/wsdisplay_vcons.c +++ b/sys/dev/wscons/wsdisplay_vcons.c @@ -1,4 +1,4 @@ -/* $NetBSD: wsdisplay_vcons.c,v 1.11 2007/07/09 21:01:26 ad Exp $ */ +/* $NetBSD: wsdisplay_vcons.c,v 1.12 2007/07/28 20:28:57 mjf Exp $ */ /*- * Copyright (c) 2005, 2006 Michael Lorenz @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: wsdisplay_vcons.c,v 1.11 2007/07/09 21:01:26 ad Exp $"); +__KERNEL_RCSID(0, "$NetBSD: wsdisplay_vcons.c,v 1.12 2007/07/28 20:28:57 mjf Exp $"); #include #include @@ -663,6 +663,10 @@ vcons_putwschar(struct vcons_screen *scr, struct wsdisplay_char *wsc) KASSERT(scr != NULL && wsc != NULL); + if (__predict_false((unsigned int)wsc->col > ri->ri_cols || + (unsigned int)wsc->row > ri->ri_rows)) + return (EINVAL); + ri = &scr->scr_ri; ri->ri_ops.allocattr(ri, wsc->foreground, wsc->background,