From 98694dd38504cb43e8a4e874de05a3d21f321a41 Mon Sep 17 00:00:00 2001 From: Siarzhuk Zharski Date: Mon, 31 May 2010 19:30:48 +0000 Subject: [PATCH] Fixed using user_memcpy for data received from userlad. This fixes ticket #6082. git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@36975 a95241bf-73f2-0310-859d-f6bbb57e9c96 --- .../drivers/audio/ac97/ali5451/ali_multi.c | 83 +++++++++++------- .../kernel/drivers/audio/null/null_multi.c | 86 ++++++++++++------- 2 files changed, 105 insertions(+), 64 deletions(-) diff --git a/src/add-ons/kernel/drivers/audio/ac97/ali5451/ali_multi.c b/src/add-ons/kernel/drivers/audio/ac97/ali5451/ali_multi.c index 607cc5272e..9606416f7d 100644 --- a/src/add-ons/kernel/drivers/audio/ac97/ali5451/ali_multi.c +++ b/src/add-ons/kernel/drivers/audio/ac97/ali5451/ali_multi.c @@ -107,36 +107,46 @@ static const multi_channel_info channel_descriptions[] = { static status_t get_description(void *cookie, multi_description *data) { - data->interface_version = B_CURRENT_INTERFACE_VERSION; - data->interface_minimum = B_CURRENT_INTERFACE_VERSION; - - strcpy(data->friendly_name, "ALI M5451"); - strcpy(data->vendor_info, "Krzysztof Ćwiertnia"); - - data->output_channel_count = ALI_SUPPORTED_OUTPUT_CHANNELS; - data->input_channel_count = ALI_SUPPORTED_INPUT_CHANNELS; - data->output_bus_channel_count = ALI_SUPPORTED_OUTPUT_CHANNELS; - data->input_bus_channel_count = ALI_SUPPORTED_INPUT_CHANNELS; - data->aux_bus_channel_count = 0; - - if ((int32) (sizeof(channel_descriptions)/sizeof(channel_descriptions[0])) - <= data->request_channel_count) { - memcpy(data->channels, &channel_descriptions, - sizeof(channel_descriptions)); + multi_description description; + if(user_memcpy(&description, data, sizeof(multi_description)) != B_OK) { + return B_BAD_ADDRESS; } - data->output_formats = ALI_VALID_OUTPUT_FORMATS; - data->output_rates = ALI_VALID_OUTPUT_SAMPLE_RATES; + description.interface_version = B_CURRENT_INTERFACE_VERSION; + description.interface_minimum = B_CURRENT_INTERFACE_VERSION; - data->input_formats = ALI_VALID_INPUT_FORMATS; - data->input_rates = ALI_VALID_INPUT_SAMPLE_RATES; + strcpy(description.friendly_name, "ALI M5451"); + strcpy(description.vendor_info, "Krzysztof Ćwiertnia"); - data->lock_sources = B_MULTI_LOCK_INTERNAL; - data->timecode_sources = 0; - data->interface_flags = B_MULTI_INTERFACE_PLAYBACK|B_MULTI_INTERFACE_RECORD; - data->start_latency = 30000; + description.output_channel_count = ALI_SUPPORTED_OUTPUT_CHANNELS; + description.input_channel_count = ALI_SUPPORTED_INPUT_CHANNELS; + description.output_bus_channel_count = ALI_SUPPORTED_OUTPUT_CHANNELS; + description.input_bus_channel_count = ALI_SUPPORTED_INPUT_CHANNELS; + description.aux_bus_channel_count = 0; - strcpy(data->control_panel,""); + description.output_formats = ALI_VALID_OUTPUT_FORMATS; + description.output_rates = ALI_VALID_OUTPUT_SAMPLE_RATES; + + description.input_formats = ALI_VALID_INPUT_FORMATS; + description.input_rates = ALI_VALID_INPUT_SAMPLE_RATES; + + description.lock_sources = B_MULTI_LOCK_INTERNAL; + description.timecode_sources = 0; + description.interface_flags = B_MULTI_INTERFACE_PLAYBACK|B_MULTI_INTERFACE_RECORD; + description.start_latency = 30000; + + strcpy(description.control_panel,""); + + if(user_memcpy(data, &description, sizeof(multi_description)) != B_OK) { + return B_BAD_ADDRESS; + } + + if(description.request_channel_count >= + sizeof(channel_descriptions) / sizeof(channel_descriptions[0])) { + if(user_memcpy(data->channels, + &channel_descriptions, sizeof(channel_descriptions)) != B_OK) + return B_BAD_ADDRESS; + } return B_OK; } @@ -487,11 +497,16 @@ get_buffers(ali_dev *card, multi_buffer_list *data) static status_t -buffer_exchange(ali_dev *card, multi_buffer_info *buffer_info) +buffer_exchange(ali_dev *card, multi_buffer_info *info) { status_t res; ali_stream *play_s, *rec_s; + multi_buffer_info buffer_info; + if(user_memcpy(&buffer_info, info, sizeof(multi_buffer_info)) != B_OK) { + return B_BAD_ADDRESS; + } + play_s = card->playback_stream; rec_s = card->record_stream; @@ -513,16 +528,20 @@ buffer_exchange(ali_dev *card, multi_buffer_info *buffer_info) LOCK(card->lock_sts); - buffer_info->played_frames_count = play_s->frames_count; - buffer_info->played_real_time = play_s->real_time; - buffer_info->playback_buffer_cycle = play_s->buffer_cycle; + buffer_info.played_frames_count = play_s->frames_count; + buffer_info.played_real_time = play_s->real_time; + buffer_info.playback_buffer_cycle = play_s->buffer_cycle; - buffer_info->recorded_frames_count = rec_s->frames_count; - buffer_info->recorded_real_time = rec_s->real_time; - buffer_info->record_buffer_cycle = rec_s->buffer_cycle; + buffer_info.recorded_frames_count = rec_s->frames_count; + buffer_info.recorded_real_time = rec_s->real_time; + buffer_info.record_buffer_cycle = rec_s->buffer_cycle; UNLOCK(card->lock_sts); + if(user_memcpy(info, &buffer_info, sizeof(multi_buffer_info)) != B_OK) { + return B_BAD_ADDRESS; + } + return B_OK; } diff --git a/src/add-ons/kernel/drivers/audio/null/null_multi.c b/src/add-ons/kernel/drivers/audio/null/null_multi.c index f0a414692b..aa64b794f1 100644 --- a/src/add-ons/kernel/drivers/audio/null/null_multi.c +++ b/src/add-ons/kernel/drivers/audio/null/null_multi.c @@ -48,36 +48,49 @@ static status_t get_description(void* cookie, multi_description* data) { dprintf("null_audio: %s\n" , __func__ ); - data->interface_version = B_CURRENT_INTERFACE_VERSION; - data->interface_minimum = B_CURRENT_INTERFACE_VERSION; - - strcpy(data->friendly_name,"Virtual audio (null_audio)"); - strcpy(data->vendor_info,"Host/Haiku"); - - data->output_channel_count = 2; - data->input_channel_count = 2; - data->output_bus_channel_count = 2; - data->input_bus_channel_count = 2; - data->aux_bus_channel_count = 0; - - if (data->request_channel_count >= (int)(sizeof(channel_descriptions) / sizeof(channel_descriptions[0]))) { - memcpy(data->channels,&channel_descriptions,sizeof(channel_descriptions)); + + multi_description description; + if(user_memcpy(&description, data, sizeof(multi_description)) != B_OK) { + return B_BAD_ADDRESS; } - data->output_rates = B_SR_44100; - data->input_rates = B_SR_44100; + description.interface_version = B_CURRENT_INTERFACE_VERSION; + description.interface_minimum = B_CURRENT_INTERFACE_VERSION; - data->max_cvsr_rate = 0; - data->min_cvsr_rate = 0; + strcpy(description.friendly_name,"Virtual audio (null_audio)"); + strcpy(description.vendor_info,"Host/Haiku"); - data->output_formats = B_FMT_16BIT; - data->input_formats = B_FMT_16BIT; - data->lock_sources = B_MULTI_LOCK_INTERNAL; - data->timecode_sources = 0; - data->interface_flags = B_MULTI_INTERFACE_PLAYBACK | B_MULTI_INTERFACE_RECORD; - data->start_latency = 30000; + description.output_channel_count = 2; + description.input_channel_count = 2; + description.output_bus_channel_count = 2; + description.input_bus_channel_count = 2; + description.aux_bus_channel_count = 0; - strcpy(data->control_panel,""); + description.output_rates = B_SR_44100; + description.input_rates = B_SR_44100; + + description.max_cvsr_rate = 0; + description.min_cvsr_rate = 0; + + description.output_formats = B_FMT_16BIT; + description.input_formats = B_FMT_16BIT; + description.lock_sources = B_MULTI_LOCK_INTERNAL; + description.timecode_sources = 0; + description.interface_flags = B_MULTI_INTERFACE_PLAYBACK | B_MULTI_INTERFACE_RECORD; + description.start_latency = 30000; + + strcpy(description.control_panel,""); + + if(user_memcpy(data, &description, sizeof(multi_description)) != B_OK) { + return B_BAD_ADDRESS; + } + + if(description.request_channel_count + >= sizeof(channel_descriptions) / sizeof(channel_descriptions[0])) { + if(user_memcpy(data->channels, + &channel_descriptions, sizeof(channel_descriptions)) != B_OK) + return B_BAD_ADDRESS; + } return B_OK; } @@ -255,13 +268,18 @@ get_buffers(device_t* device, multi_buffer_list* data) static status_t -buffer_exchange(device_t* device, multi_buffer_info* buffer_info) +buffer_exchange(device_t* device, multi_buffer_info* info) { //dprintf("null_audio: %s\n" , __func__ ); static int debug_buffers_exchanged = 0; cpu_status status; status_t result; + multi_buffer_info buffer_info; + if(user_memcpy(&buffer_info, info, sizeof(multi_buffer_info)) != B_OK) { + return B_BAD_ADDRESS; + } + // On first call, we start our fake hardware. // Usually one would jump into his interrupt handler now if (!device->running) @@ -282,13 +300,13 @@ buffer_exchange(device_t* device, multi_buffer_info* buffer_info) status = disable_interrupts(); acquire_spinlock(&device->playback_stream.lock); - buffer_info->playback_buffer_cycle = device->playback_stream.buffer_cycle; - buffer_info->played_real_time = device->playback_stream.real_time; - buffer_info->played_frames_count = device->playback_stream.frames_count; + buffer_info.playback_buffer_cycle = device->playback_stream.buffer_cycle; + buffer_info.played_real_time = device->playback_stream.real_time; + buffer_info.played_frames_count = device->playback_stream.frames_count; - buffer_info->record_buffer_cycle = device->record_stream.buffer_cycle; - buffer_info->recorded_real_time = device->record_stream.real_time; - buffer_info->recorded_frames_count = device->record_stream.frames_count; + buffer_info.record_buffer_cycle = device->record_stream.buffer_cycle; + buffer_info.recorded_real_time = device->record_stream.real_time; + buffer_info.recorded_frames_count = device->record_stream.frames_count; release_spinlock(&device->playback_stream.lock); restore_interrupts(status); @@ -298,6 +316,10 @@ buffer_exchange(device_t* device, multi_buffer_info* buffer_info) dprintf("null_audio: %s: %d buffers processed\n", __func__, debug_buffers_exchanged); } + if(user_memcpy(info, &buffer_info, sizeof(multi_buffer_info)) != B_OK) { + return B_BAD_ADDRESS; + } + return B_OK; }