correct range check, have overflow check, fix type mismatches,

for cmap args and some other calls. from openbsd
2002-08-03 00:12:48 +00:00 · 2002-08-03 00:12:48 +00:00 · 8dd04cdcd7
parent 84a99e2b3e
commit 8dd04cdcd7
21 changed files with 135 additions and 118 deletions
--- a/sys/arch/amiga/dev/grf_cl.c
+++ b/sys/arch/amiga/dev/grf_cl.c
@ -1,4 +1,4 @@
-/*	$NetBSD: grf_cl.c,v 1.30 2002/05/14 00:08:21 matt Exp $ */
+/*	$NetBSD: grf_cl.c,v 1.31 2002/08/03 00:12:53 itojun Exp $ */
 /*
 * Copyright (c) 1997 Klaus Burkert
@ -36,7 +36,7 @@
 #include "opt_amigacons.h"
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: grf_cl.c,v 1.30 2002/05/14 00:08:21 matt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: grf_cl.c,v 1.31 2002/08/03 00:12:53 itojun Exp $");
 #include "grfcl.h"
 #if NGRFCL > 0
@ -1100,7 +1100,7 @@ cl_getcmap(gfp, cmap)
 	if (cmap->count == 0 || cmap->index >= 256)
 		return 0;
-	if (cmap->index + cmap->count > 256)
+	if (cmap->count > 256 - cmap->index)
 		cmap->count = 256 - cmap->index;
 	ba = gfp->g_regkva;
@ -1168,7 +1168,7 @@ cl_putcmap(gfp, cmap)
 	if (cmap->count == 0 || cmap->index >= 256)
 		return (0);
-	if (cmap->index + cmap->count > 256)
+	if (cmap->count > 256 - cmap->index)
 		cmap->count = 256 - cmap->index;
 	/* first copy the colors into kernelspace */
--- a/sys/arch/amiga/dev/grf_cv.c
+++ b/sys/arch/amiga/dev/grf_cv.c
@ -1,4 +1,4 @@
-/*	$NetBSD: grf_cv.c,v 1.30 2002/03/17 19:40:28 atatat Exp $ */
+/*	$NetBSD: grf_cv.c,v 1.31 2002/08/03 00:12:54 itojun Exp $ */
 /*
 * Copyright (c) 1995 Michael Teske
@ -33,7 +33,7 @@
 #include "opt_amigacons.h"
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: grf_cv.c,v 1.30 2002/03/17 19:40:28 atatat Exp $");
+__KERNEL_RCSID(0, "$NetBSD: grf_cv.c,v 1.31 2002/08/03 00:12:54 itojun Exp $");
 #include "grfcv.h"
 #if NGRFCV > 0
@ -1047,7 +1047,7 @@ cv_getcmap(struct grf_softc *gfp, struct grf_colormap *cmap)
 	if (cmap->count == 0 || cmap->index >= 256)
 		return (0);
-	if (cmap->index + cmap->count > 256)
+	if (cmap->count > 256 - cmap->index)
 		cmap->count = 256 - cmap->index;
 	/* first read colors out of the chip, then copyout to userspace */
@ -1085,7 +1085,7 @@ cv_putcmap(struct grf_softc *gfp, struct grf_colormap *cmap)
 	if (cmap->count == 0 || cmap->index >= 256)
 		return (0);
-	if (cmap->index + cmap->count > 256)
+	if (cmap->count > 256 - cmap->index)
 		cmap->count = 256 - cmap->index;
 	/* first copy the colors into kernelspace */
--- a/sys/arch/amiga/dev/grf_et.c
+++ b/sys/arch/amiga/dev/grf_et.c
@ -1,4 +1,4 @@
-/*	$NetBSD: grf_et.c,v 1.15 2002/03/17 19:40:29 atatat Exp $ */
+/*	$NetBSD: grf_et.c,v 1.16 2002/08/03 00:12:55 itojun Exp $ */
 /*
 * Copyright (c) 1997 Klaus Burkert
@ -37,7 +37,7 @@
 #include "opt_amigacons.h"
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: grf_et.c,v 1.15 2002/03/17 19:40:29 atatat Exp $");
+__KERNEL_RCSID(0, "$NetBSD: grf_et.c,v 1.16 2002/08/03 00:12:55 itojun Exp $");
 #include "grfet.h"
 #if NGRFET > 0
@ -834,7 +834,7 @@ et_getcmap(struct grf_softc *gfp, struct grf_colormap *cmap)
 	if (cmap->count == 0 || cmap->index >= 256)
 		return 0;
-	if (cmap->index + cmap->count > 256)
+	if (cmap->count > 256 - cmap->index)
 		cmap->count = 256 - cmap->index;
 	ba = gfp->g_regkva;
@ -885,7 +885,7 @@ et_putcmap(struct grf_softc *gfp, struct grf_colormap *cmap)
 	if (cmap->count == 0 || cmap->index >= 256)
 		return (0);
-	if (cmap->index + cmap->count > 256)
+	if (cmap->count > 256 - cmap->index)
 		cmap->count = 256 - cmap->index;
 	/* first copy the colors into kernelspace */
--- a/sys/arch/amiga/dev/grf_rh.c
+++ b/sys/arch/amiga/dev/grf_rh.c
@ -1,4 +1,4 @@
-/*	$NetBSD: grf_rh.c,v 1.35 2002/03/17 19:40:29 atatat Exp $ */
+/*	$NetBSD: grf_rh.c,v 1.36 2002/08/03 00:12:55 itojun Exp $ */
 /*
 * Copyright (c) 1994 Markus Wild
@ -34,7 +34,7 @@
 #include "opt_retina.h"
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: grf_rh.c,v 1.35 2002/03/17 19:40:29 atatat Exp $");
+__KERNEL_RCSID(0, "$NetBSD: grf_rh.c,v 1.36 2002/08/03 00:12:55 itojun Exp $");
 #include "grfrh.h"
 #if NGRFRH > 0
@ -1803,7 +1803,7 @@ rh_getcmap(struct grf_softc *gfp, struct grf_colormap *cmap)
 	if (cmap->count == 0 || cmap->index >= 256)
 		return 0;
-	if (cmap->index + cmap->count > 256)
+	if (cmap->count > 256 - cmap->index)
 		cmap->count = 256 - cmap->index;
 	ba = gfp->g_regkva;
@ -1838,7 +1838,7 @@ rh_putcmap(struct grf_softc *gfp, struct grf_colormap *cmap)
 	if (cmap->count == 0 || cmap->index >= 256)
 		return(0);
-	if (cmap->index + cmap->count > 256)
+	if (cmap->count > 256 - cmap->index)
 		cmap->count = 256 - cmap->index;
 	/* first copy the colors into kernelspace */
--- a/sys/arch/amiga/dev/grf_rt.c
+++ b/sys/arch/amiga/dev/grf_rt.c
@ -1,4 +1,4 @@
-/*	$NetBSD: grf_rt.c,v 1.42 2002/03/17 19:40:30 atatat Exp $ */
+/*	$NetBSD: grf_rt.c,v 1.43 2002/08/03 00:12:56 itojun Exp $ */
 /*
 * Copyright (c) 1993 Markus Wild
@ -33,7 +33,7 @@
 #include "opt_amigacons.h"
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: grf_rt.c,v 1.42 2002/03/17 19:40:30 atatat Exp $");
+__KERNEL_RCSID(0, "$NetBSD: grf_rt.c,v 1.43 2002/08/03 00:12:56 itojun Exp $");
 #include "grfrt.h"
 #if NGRFRT > 0
@ -1128,7 +1128,7 @@ rt_getcmap(struct grf_softc *gfp, struct grf_colormap *cmap)
 	if (cmap->count == 0 || cmap->index >= 256)
 		return (0);
-	if (cmap->index + cmap->count > 256)
+	if (cmap->count > 256 - cmap->index)
 		cmap->count = 256 - cmap->index;
 	ba = gfp->g_regkva;
@ -1164,7 +1164,7 @@ rt_putcmap(struct grf_softc *gfp, struct grf_colormap *cmap)
 	if (cmap->count == 0 || cmap->index >= 256)
 		return 0;
-	if (cmap->index + cmap->count > 256)
+	if (cmap->count > 256 - cmap->index)
 		cmap->count = 256 - cmap->index;
 	/* first copy the colors into kernelspace */
--- a/sys/arch/amiga/dev/grf_ul.c
+++ b/sys/arch/amiga/dev/grf_ul.c
@ -1,4 +1,4 @@
-/*	$NetBSD: grf_ul.c,v 1.31 2002/03/17 19:40:30 atatat Exp $ */
+/*	$NetBSD: grf_ul.c,v 1.32 2002/08/03 00:12:57 itojun Exp $ */
 #define UL_DEBUG
 /*-
@ -40,7 +40,7 @@
 #include "opt_amigacons.h"
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: grf_ul.c,v 1.31 2002/03/17 19:40:30 atatat Exp $");
+__KERNEL_RCSID(0, "$NetBSD: grf_ul.c,v 1.32 2002/08/03 00:12:57 itojun Exp $");
 #include "grful.h"
 #if NGRFUL > 0
@ -798,7 +798,7 @@ ul_getcmap (gp, cmap, dev)
 	if (cmap->count == 0 || cmap->index >= mxidx)
 		return 0;
-	if (cmap->index + cmap->count > mxidx)
+	if (cmap->count > mxidx - cmap->index)
 		cmap->count = mxidx - cmap->index;
 	/* just copyout from the shadow color map */
@ -841,7 +841,7 @@ ul_putcmap (gp, cmap, dev)
 	if (cmap->count == 0 || cmap->index >= mxidx)
 		return 0;
-	if (cmap->index + cmap->count > mxidx)
+	if (cmap->count > mxidx - cmap->index)
 		cmap->count = mxidx - cmap->index;
 	/* first copyin to our shadow color map */
--- a/sys/arch/amiga/dev/view.c
+++ b/sys/arch/amiga/dev/view.c
@ -1,4 +1,4 @@
-/*	$NetBSD: view.c,v 1.20 2002/03/17 19:40:32 atatat Exp $ */
+/*	$NetBSD: view.c,v 1.21 2002/08/03 00:12:58 itojun Exp $ */
 /*
 * Copyright (c) 1994 Christian E. Hopps
@ -38,7 +38,7 @@
 * a interface to graphics. */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: view.c,v 1.20 2002/03/17 19:40:32 atatat Exp $");
+__KERNEL_RCSID(0, "$NetBSD: view.c,v 1.21 2002/08/03 00:12:58 itojun Exp $");
 #include <sys/param.h>
 #include <sys/systm.h>
@ -334,6 +334,8 @@ view_get_colormap(struct view_softc *vu, colormap_t *ucm)
 	u_long *uep;
 	/* add one incase of zero, ick. */
 	if (ucm->size + 1 > SIZE_T_MAX / sizeof(u_long))
 		return EINVAL;
 	cme = malloc(sizeof (u_long)*(ucm->size + 1), M_IOCTLOPS, M_WAITOK);
 	if (cme == NULL)
 		return(ENOMEM);
--- a/sys/arch/hp300/hp300/hpux_machdep.c
+++ b/sys/arch/hp300/hp300/hpux_machdep.c
@ -1,4 +1,4 @@
-/*	$NetBSD: hpux_machdep.c,v 1.29 2002/07/04 23:32:03 thorpej Exp $	*/
+/*	$NetBSD: hpux_machdep.c,v 1.30 2002/08/03 00:12:58 itojun Exp $	*/
 /*-
 * Copyright (c) 1996, 1997, 1998 The NetBSD Foundation, Inc.
@ -78,7 +78,7 @@
 */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: hpux_machdep.c,v 1.29 2002/07/04 23:32:03 thorpej Exp $");                                                  
+__KERNEL_RCSID(0, "$NetBSD: hpux_machdep.c,v 1.30 2002/08/03 00:12:58 itojun Exp $");                                                  
 #include <sys/param.h>
 #include <sys/systm.h>
@ -280,6 +280,9 @@ hpux_sys_getcontext(p, v, retval)
 	int l, i, error = 0;
 	int len; 
 	if (SCARG(uap, len) <= 0)
 		return (EINVAL);
 	for (i = 0; context_table[i].str != NULL; i++)
 		if (context_table[i].val == fputype)
 			break;
--- a/sys/arch/i386/i386/sys_machdep.c
+++ b/sys/arch/i386/i386/sys_machdep.c
@ -1,4 +1,4 @@
-/*	$NetBSD: sys_machdep.c,v 1.62 2002/03/22 18:41:40 christos Exp $	*/
+/*	$NetBSD: sys_machdep.c,v 1.63 2002/08/03 00:12:48 itojun Exp $	*/
 /*-
 * Copyright (c) 1998 The NetBSD Foundation, Inc.
@ -37,7 +37,7 @@
 */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sys_machdep.c,v 1.62 2002/03/22 18:41:40 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sys_machdep.c,v 1.63 2002/08/03 00:12:48 itojun Exp $");
 #include "opt_vm86.h"
 #include "opt_user_ldt.h"
@ -123,7 +123,8 @@ i386_get_ldt(p, args, retval)
 	    ua.num, ua.desc);
 #endif
-	if (ua.start < 0 || ua.num < 0)
+	if (ua.start < 0 || ua.num < 0 || ua.start > 8192 || ua.num > 8192 ||
 	    ua.start + ua.num > 8192)
 		return (EINVAL);
 	/*
--- a/sys/arch/sparc/dev/cgfourteen.c
+++ b/sys/arch/sparc/dev/cgfourteen.c
@ -1,4 +1,4 @@
-/*	$NetBSD: cgfourteen.c,v 1.23 2002/04/03 16:34:11 darrenr Exp $ */
+/*	$NetBSD: cgfourteen.c,v 1.24 2002/08/03 00:12:59 itojun Exp $ */
 /*
 * Copyright (c) 1996
@ -752,7 +752,7 @@ cg14_get_cmap(p, cm, cmsize)
 	start = p->index;
 	count = p->count;
-        if (start >= cmsize || start + count > cmsize)
+	if (start >= cmsize || count > cmsize - start)
 #ifdef DEBUG
 	{
 		printf("putcmaperror: start %d cmsize %d count %d\n",
@ -787,7 +787,7 @@ cg14_put_cmap(p, cm, cmsize)
 	start = p->index;
 	count = p->count;
-        if (start >= cmsize || start + count > cmsize)
+	if (start >= cmsize || count > cmsize - start)
 #ifdef DEBUG
 	{
 		printf("putcmaperror: start %d cmsize %d count %d\n",
--- a/sys/arch/sparc/dev/cgtwo.c
+++ b/sys/arch/sparc/dev/cgtwo.c
@ -1,4 +1,4 @@
-/*	$NetBSD: cgtwo.c,v 1.35 2001/08/05 18:07:53 jdolecek Exp $ */
+/*	$NetBSD: cgtwo.c,v 1.36 2002/08/03 00:13:00 itojun Exp $ */
 /*
 * Copyright (c) 1992, 1993
@ -328,7 +328,7 @@ cgtwogetcmap(sc, cmap)
 	start = cmap->index;
 	count = cmap->count;
 	ecount = start + count;
-	if (start >= CG2_CMSIZE || ecount > CG2_CMSIZE)
+	if (start >= CG2_CMSIZE || count > CG2_CMSIZE - start)
 		return (EINVAL);
 	/* XXX - Wait for retrace? */
@ -371,7 +371,7 @@ cgtwoputcmap(sc, cmap)
 	start = cmap->index;
 	count = cmap->count;
 	ecount = start + count;
-	if (start >= CG2_CMSIZE || ecount > CG2_CMSIZE)
+	if (start >= CG2_CMSIZE || count > CG2_CMSIZE - start)
 		return (EINVAL);
 	/* Copy from user space to local arrays. */
--- a/sys/arch/sun3/dev/bt_subr.c
+++ b/sys/arch/sun3/dev/bt_subr.c
@ -1,4 +1,4 @@
-/*	$NetBSD: bt_subr.c,v 1.4 2001/09/19 18:10:34 thorpej Exp $ */
+/*	$NetBSD: bt_subr.c,v 1.5 2002/08/03 00:13:00 itojun Exp $ */
 /*
 * Copyright (c) 1993
@ -73,7 +73,7 @@ bt_getcmap(p, cm, cmsize)
 	start = p->index;
 	count = p->count;
-	if (start >= cmsize || start + count > cmsize)
+	if (start >= cmsize || count > cmsize - start)
 		return (EINVAL);
 	if (!useracc(p->red, count, B_WRITE) ||
 	    !useracc(p->green, count, B_WRITE) ||
@ -101,7 +101,7 @@ bt_putcmap(p, cm, cmsize)
 	start = p->index;
 	count = p->count;
-	if (start >= cmsize || start + count > cmsize)
+	if (start >= cmsize || count > cmsize - start)
 		return (EINVAL);
 	if (!useracc(p->red, count, B_READ) ||
 	    !useracc(p->green, count, B_READ) ||
--- a/sys/arch/sun3/dev/cg2.c
+++ b/sys/arch/sun3/dev/cg2.c
@ -1,4 +1,4 @@
-/*	$NetBSD: cg2.c,v 1.16 2001/09/19 18:10:34 thorpej Exp $	*/
+/*	$NetBSD: cg2.c,v 1.17 2002/08/03 00:13:01 itojun Exp $	*/
 /*
 * Copyright (c) 1992, 1993
@ -317,7 +317,7 @@ static int cg2getcmap(fb, data)
 	start = cmap->index;
 	count = cmap->count;
 	ecount = start + count;
-	if (start >= CMSIZE || ecount > CMSIZE)
+	if (start >= CMSIZE || count > CMSIZE - start)
 		return (EINVAL);
 	/* XXX - Wait for retrace? */
@ -360,7 +360,7 @@ static int cg2putcmap(fb, data)
 	start = cmap->index;
 	count = cmap->count;
 	ecount = start + count;
-	if (start >= CMSIZE || ecount > CMSIZE)
+	if (start >= CMSIZE || count > CMSIZE - start)
 		return (EINVAL);
 	/* Copy from user space to local arrays. */
--- a/sys/arch/sun3/dev/cg4.c
+++ b/sys/arch/sun3/dev/cg4.c
@ -1,4 +1,4 @@
-/*	$NetBSD: cg4.c,v 1.23 2001/09/19 18:10:34 thorpej Exp $	*/
+/*	$NetBSD: cg4.c,v 1.24 2002/08/03 00:13:01 itojun Exp $	*/
 /*
 * Copyright (c) 1992, 1993
@ -468,12 +468,12 @@ static int cg4getcmap(fb, data)
 	struct cg4_softc *sc = fb->fb_private;
 	struct soft_cmap *cm = &sc->sc_cmap;
 	struct fbcmap *fbcm = data;
-	int error, start, count;
+	u_int start, count;
 	int error;
 	start = fbcm->index;
 	count = fbcm->count;
-	if ((start < 0) || (start >= CMAP_SIZE) ||
+	if (start >= CMAP_SIZE || count > CMAP_SIZE - start)
 	    (count < 0) || (start + count > CMAP_SIZE) )
 		return (EINVAL);
 	if ((error = copyout(&cm->r[start], fbcm->red, count)) != 0)
@ -499,12 +499,12 @@ static int cg4putcmap(fb, data)
 	struct cg4_softc *sc = fb->fb_private;
 	struct soft_cmap *cm = &sc->sc_cmap;
 	struct fbcmap *fbcm = data;
-	int error, start, count;
+	u_int start, count;
 	int error;
 	start = fbcm->index;
 	count = fbcm->count;
-	if ((start < 0) || (start >= CMAP_SIZE) ||
+	if (start >= CMAP_SIZE || count > CMAP_SIZE - start)
 	    (count < 0) || (start + count > CMAP_SIZE) )
 		return (EINVAL);
 	if ((error = copyin(fbcm->red, &cm->r[start], count)) != 0)
--- a/sys/compat/hpux/hpux_compat.c
+++ b/sys/compat/hpux/hpux_compat.c
@ -1,4 +1,4 @@
-/*	$NetBSD: hpux_compat.c,v 1.59 2002/03/16 20:43:50 christos Exp $	*/
+/*	$NetBSD: hpux_compat.c,v 1.60 2002/08/03 00:12:51 itojun Exp $	*/
 /*
 * Copyright (c) 1988 University of Utah.
@ -47,7 +47,7 @@
 */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: hpux_compat.c,v 1.59 2002/03/16 20:43:50 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: hpux_compat.c,v 1.60 2002/08/03 00:12:51 itojun Exp $");
 #if defined(_KERNEL_OPT)
 #include "opt_sysv.h"
@ -402,10 +402,13 @@ hpux_sys_utssys(p, v, retval)
 	/* gethostname */
 	case 5:
 		/* SCARG(uap, dev) is length */
-		if (SCARG(uap, dev) > hostnamelen + 1)
+		i = SCARG(uap, dev);
-			SCARG(uap, dev) = hostnamelen + 1;
+		if (i < 0) {
-		error = copyout((caddr_t)hostname, (caddr_t)SCARG(uap, uts),
+			error = EINVAL;
-				SCARG(uap, dev));
+			break;
 		} else if (i > hostnamelen + 1)
 			i = hostnamelen + 1;
 		error = copyout((caddr_t)hostname, (caddr_t)SCARG(uap, uts), i);
 		break;
 	case 1:	/* ?? */
--- a/sys/compat/ibcs2/ibcs2_stat.c
+++ b/sys/compat/ibcs2/ibcs2_stat.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_stat.c,v 1.19 2002/03/16 20:43:51 christos Exp $	*/
+/*	$NetBSD: ibcs2_stat.c,v 1.20 2002/08/03 00:12:52 itojun Exp $	*/
 /*
 * Copyright (c) 1995, 1998 Scott Bartram
 * All rights reserved.
@ -27,7 +27,7 @@
 */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.19 2002/03/16 20:43:51 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.20 2002/08/03 00:12:52 itojun Exp $");
 #include <sys/param.h>
 #include <sys/systm.h>
@ -87,6 +87,11 @@ cvt_statfs(sp, buf, len)
 {
 	struct ibcs2_statfs ssfs;
 	if (len < 0)
 		return (EINVAL);
 	if (len > sizeof(ssfs));
 		len = sizeof(ssfs);
 	memset(&ssfs, 0, sizeof ssfs);
 	ssfs.f_fstyp = 0;
 	ssfs.f_bsize = sp->f_bsize;
--- a/sys/dev/ic/bt463.c
+++ b/sys/dev/ic/bt463.c
@ -1,4 +1,4 @@
-/* $NetBSD: bt463.c,v 1.7 2001/12/12 07:47:46 elric Exp $ */
+/* $NetBSD: bt463.c,v 1.8 2002/08/03 00:13:02 itojun Exp $ */
 /*-
 * Copyright (c) 1998 The NetBSD Foundation, Inc.
@ -69,7 +69,7 @@
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: bt463.c,v 1.7 2001/12/12 07:47:46 elric Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bt463.c,v 1.8 2002/08/03 00:13:02 itojun Exp $");
 #include <sys/param.h>
 #include <sys/systm.h>
@ -369,7 +369,7 @@ bt463_set_cmap(rc, cmapp)
 	int s;
 	if (cmapp->index >= BT463_NCMAP_ENTRIES ||
-	    (cmapp->index + cmapp->count) > BT463_NCMAP_ENTRIES)
+	    cmapp->count > BT463_NCMAP_ENTRIES - cmapp->index)
 		return (EINVAL);
 	if (!uvm_useracc(cmapp->red, cmapp->count, B_READ) ||
 	    !uvm_useracc(cmapp->green, cmapp->count, B_READ) ||
@ -398,10 +398,11 @@ bt463_get_cmap(rc, cmapp)
 	struct wsdisplay_cmap *cmapp;
 {
 	struct bt463data *data = (struct bt463data *)rc;
-	int error, count, index;
+	u_int count, index;
 	int error;
-	if ((u_int)cmapp->index >= BT463_NCMAP_ENTRIES ||
+	if (cmapp->index >= BT463_NCMAP_ENTRIES ||
-	    ((u_int)cmapp->index + (u_int)cmapp->count) > BT463_NCMAP_ENTRIES)
+	    cmapp->count > BT463_NCMAP_ENTRIES - cmapp->index)
 		return (EINVAL);
 	count = cmapp->count;
--- a/sys/dev/ic/bt485.c
+++ b/sys/dev/ic/bt485.c
@ -1,4 +1,4 @@
-/* $NetBSD: bt485.c,v 1.8 2001/12/12 07:47:46 elric Exp $ */
+/* $NetBSD: bt485.c,v 1.9 2002/08/03 00:13:03 itojun Exp $ */
 /*
 * Copyright (c) 1995, 1996 Carnegie-Mellon University.
@ -32,7 +32,7 @@
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: bt485.c,v 1.8 2001/12/12 07:47:46 elric Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bt485.c,v 1.9 2002/08/03 00:13:03 itojun Exp $");
 #include <sys/param.h>
 #include <sys/systm.h>
@ -266,7 +266,7 @@ bt485_set_cmap(rc, cmapp)
 	u_int count, index;
 	int s;
-	if (cmapp->index >= 256 || (cmapp->index + cmapp->count) > 256)
+	if (cmapp->index >= 256 || cmapp->count > 256 - cmapp->index)
 		return (EINVAL);
 	if (!uvm_useracc(cmapp->red, cmapp->count, B_READ) ||
 	    !uvm_useracc(cmapp->green, cmapp->count, B_READ) ||
@ -295,10 +295,10 @@ bt485_get_cmap(rc, cmapp)
 	struct wsdisplay_cmap *cmapp;
 {
 	struct bt485data *data = (struct bt485data *)rc;
-	int error, count, index;
+	u_int count, index;
 	int error;
-	if ((u_int)cmapp->index >= 256 ||
+	if (cmapp->index >= 256 || cmapp->count > 256 - cmapp->index )
 	    ((u_int)cmapp->index + (u_int)cmapp->count) > 256)
 		return (EINVAL);
 	count = cmapp->count;
--- a/sys/dev/ic/ibm561.c
+++ b/sys/dev/ic/ibm561.c
@ -1,4 +1,4 @@
-/* $NetBSD: ibm561.c,v 1.2 2002/01/12 16:03:12 tsutsui Exp $ */
+/* $NetBSD: ibm561.c,v 1.3 2002/08/03 00:13:03 itojun Exp $ */
 /*-
 * Copyright (c) 2001 The NetBSD Foundation, Inc.
@ -273,12 +273,11 @@ ibm561_set_cmap(rc, cmapp)
 	struct wsdisplay_cmap *cmapp;
 {
 	struct ibm561data *data = (struct ibm561data *)rc;
-	int count;
+	u_int count, index;
 	int index;
 	int s;
-	if ((u_int)cmapp->index >= IBM561_NCMAP_ENTRIES ||
+	if (cmapp->index >= IBM561_NCMAP_ENTRIES ||
-	    ((u_int)cmapp->index + (u_int)cmapp->count) > IBM561_NCMAP_ENTRIES)
+	    cmapp->count > IBM561_NCMAP_ENTRIES - cmapp->index)
 		return (EINVAL);
 	if (!uvm_useracc(cmapp->red, cmapp->count, B_READ) ||
 	    !uvm_useracc(cmapp->green, cmapp->count, B_READ) ||
@ -303,12 +302,11 @@ ibm561_get_cmap(rc, cmapp)
 	struct wsdisplay_cmap *cmapp;
 {
 	struct ibm561data *data = (struct ibm561data *)rc;
 	u_int count, index;
 	int error;
 	int count;
 	int index;
-	if ((u_int)cmapp->index >= IBM561_NCMAP_ENTRIES ||
+	if (cmapp->index >= IBM561_NCMAP_ENTRIES ||
-	    ((u_int)cmapp->index + (u_int)cmapp->count) > IBM561_NCMAP_ENTRIES)
+	    cmapp->count > IBM561_NCMAP_ENTRIES - cmapp->index)
 		return (EINVAL);
 	count = cmapp->count;
 	index = cmapp->index;
--- a/sys/dev/ic/igsfb.c
+++ b/sys/dev/ic/igsfb.c
@ -1,4 +1,4 @@
-/*	$NetBSD: igsfb.c,v 1.4 2002/07/21 02:56:35 uwe Exp $ */
+/*	$NetBSD: igsfb.c,v 1.5 2002/08/03 00:13:03 itojun Exp $ */
 /*
 * Copyright (c) 2002 Valeriy E. Ushakov
@ -32,7 +32,7 @@
 * Only tested on IGA 1682 in Krups JavaStation-NC.
 */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: igsfb.c,v 1.4 2002/07/21 02:56:35 uwe Exp $");
+__KERNEL_RCSID(0, "$NetBSD: igsfb.c,v 1.5 2002/08/03 00:13:03 itojun Exp $");
 #include <sys/param.h>
 #include <sys/systm.h>
@ -597,7 +597,7 @@ igsfb_get_cmap(sc, p)
 {
 	u_int index = p->index, count = p->count;
-	if (index >= IGS_CMAP_SIZE || (index + count) > IGS_CMAP_SIZE)
+	if (index >= IGS_CMAP_SIZE || count > IGS_CMAP_SIZE - index)
 		return (EINVAL);
 	if (!uvm_useracc(p->red, count, B_WRITE) ||
@ -624,7 +624,7 @@ igsfb_set_cmap(sc, p)
 {
 	u_int index = p->index, count = p->count;
-	if (index >= IGS_CMAP_SIZE || (index + count) > IGS_CMAP_SIZE)
+	if (index >= IGS_CMAP_SIZE || count > IGS_CMAP_SIZE - index)
 		return (EINVAL);
 	if (!uvm_useracc(p->red, count, B_READ) ||
--- a/sys/ufs/lfs/lfs_syscalls.c
+++ b/sys/ufs/lfs/lfs_syscalls.c
@ -1,4 +1,4 @@
-/*	$NetBSD: lfs_syscalls.c,v 1.70 2002/07/07 14:29:06 briggs Exp $	*/
+/*	$NetBSD: lfs_syscalls.c,v 1.71 2002/08/03 00:12:49 itojun Exp $	*/
 /*-
 * Copyright (c) 1999, 2000 The NetBSD Foundation, Inc.
@ -71,7 +71,7 @@
 */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: lfs_syscalls.c,v 1.70 2002/07/07 14:29:06 briggs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: lfs_syscalls.c,v 1.71 2002/08/03 00:12:49 itojun Exp $");
 #define LFS		/* for prototypes in syscallargs.h */
@ -617,6 +617,8 @@ sys_lfs_bmapv(struct proc *p, void *v, register_t *retval)
 		return (error);
 	blkcnt = SCARG(uap, blkcnt);
 	if ((u_int) blkcnt > SIZE_T_MAX / sizeof(BLOCK_INFO))
 		return (EINVAL);
 	blkiov = malloc(blkcnt * sizeof(BLOCK_INFO), M_SEGMENT, M_WAITOK);
 	if ((error = copyin(SCARG(uap, blkiov), blkiov,
 			    blkcnt * sizeof(BLOCK_INFO))) != 0)
@ -650,6 +652,8 @@ sys_lfs_bmapv(struct proc *p, void *v, register_t *retval)
 		return (error);
 	blkcnt = SCARG(uap, blkcnt);
 	if ((u_int) blkcnt > SIZE_T_MAX / sizeof(BLOCK_INFO))
 		return (EINVAL);
 	blkiov = malloc(blkcnt * sizeof(BLOCK_INFO), M_SEGMENT, M_WAITOK);
 	blkiov15 = malloc(blkcnt * sizeof(BLOCK_INFO_15), M_SEGMENT, M_WAITOK);
 	if ((error = copyin(SCARG(uap, blkiov), blkiov15,