integer overflow. from silvio@qualys.com

2002-08-06 22:46:11 +00:00 · 2002-08-06 22:46:11 +00:00 · e5b5171ab5
parent 05d221783a
commit e5b5171ab5
3 changed files with 10 additions and 11 deletions
--- a/sys/arch/arm/iomd/vidcvideo.c
+++ b/sys/arch/arm/iomd/vidcvideo.c
@ -1,4 +1,4 @@
-/* $NetBSD: vidcvideo.c,v 1.13 2002/07/04 14:43:48 junyoung Exp $ */
+/* $NetBSD: vidcvideo.c,v 1.14 2002/08/06 22:46:11 itojun Exp $ */

 /*
 * Copyright (c) 2001 Reinoud Zandijk
@ -36,7 +36,7 @@

 #include <sys/cdefs.h>			/* RCS ID & Copyright macro defns */

-__KERNEL_RCSID(0, "$NetBSD: vidcvideo.c,v 1.13 2002/07/04 14:43:48 junyoung Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vidcvideo.c,v 1.14 2002/08/06 22:46:11 itojun Exp $");

 #include <sys/param.h>
 #include <sys/systm.h>
@ -766,7 +766,7 @@ get_cmap(sc, p)
 {
 	u_int index = p->index, count = p->count;

-	if (index >= CMAP_SIZE || (index + count) > CMAP_SIZE)
+	if (index >= CMAP_SIZE || count > CMAP_SIZE - index)
 		return (EINVAL);

 	if (!uvm_useracc(p->red, count, B_WRITE) ||
--- a/sys/arch/i386/i386/sys_machdep.c
+++ b/sys/arch/i386/i386/sys_machdep.c
@ -1,4 +1,4 @@
-/*	$NetBSD: sys_machdep.c,v 1.63 2002/08/03 00:12:48 itojun Exp $	*/
+/*	$NetBSD: sys_machdep.c,v 1.64 2002/08/06 22:47:44 itojun Exp $	*/

 /*-
 * Copyright (c) 1998 The NetBSD Foundation, Inc.
@ -37,7 +37,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sys_machdep.c,v 1.63 2002/08/03 00:12:48 itojun Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sys_machdep.c,v 1.64 2002/08/06 22:47:44 itojun Exp $");

 #include "opt_vm86.h"
 #include "opt_user_ldt.h"
@ -180,9 +180,8 @@ i386_set_ldt(p, args, retval)
 	    ua.num, ua.desc);
 #endif

-	if (ua.start < 0 || ua.num < 0)
-		return (EINVAL);
-	if (ua.start > 8192 || (ua.start + ua.num) > 8192)
+	if (ua.start < 0 || ua.num < 0 || ua.start > 8192 || ua.num > 8192 ||
+	    ua.start + ua.num > 8192)
 		return (EINVAL);

 	descv = malloc(sizeof (*descv) * ua.num, M_TEMP, M_NOWAIT);
--- a/sys/arch/luna68k/dev/lunafb.c
+++ b/sys/arch/luna68k/dev/lunafb.c
@ -1,4 +1,4 @@
-/* $NetBSD: lunafb.c,v 1.8 2002/07/04 14:43:49 junyoung Exp $ */
+/* $NetBSD: lunafb.c,v 1.9 2002/08/06 22:48:13 itojun Exp $ */

 /*-
 * Copyright (c) 2000 The NetBSD Foundation, Inc.
@ -38,7 +38,7 @@

 #include <sys/cdefs.h>			/* RCS ID & Copyright macro defns */

-__KERNEL_RCSID(0, "$NetBSD: lunafb.c,v 1.8 2002/07/04 14:43:49 junyoung Exp $");
+__KERNEL_RCSID(0, "$NetBSD: lunafb.c,v 1.9 2002/08/06 22:48:13 itojun Exp $");

 #include <sys/param.h>
 #include <sys/systm.h>
@ -299,7 +299,7 @@ omgetcmap(sc, p)
        int cmsize;

 	cmsize = sc->sc_dc->dc_cmsize;
-	if (index >= cmsize || (index + count) > cmsize)
+	if (index >= cmsize || count > cmsize - index)
 		return (EINVAL);

 	if (!uvm_useracc(p->red, count, B_WRITE) ||