mirror of
https://github.com/KolibriOS/kolibrios.git
synced 2024-12-25 08:06:49 +03:00
fixed vulnerability (kernel memory rewrite) in sysfn 4
git-svn-id: svn://kolibrios.org@8715 a494cfbc-eb01-0410-851d-a64ba20cac60
This commit is contained in:
parent
5376120685
commit
c080568a52
@ -4441,6 +4441,15 @@ sys_putimage_palette:
|
|||||||
; esi = number of bits per pixel, must be 8, 24 or 32
|
; esi = number of bits per pixel, must be 8, 24 or 32
|
||||||
; edi = pointer to palette
|
; edi = pointer to palette
|
||||||
; ebp = row delta
|
; ebp = row delta
|
||||||
|
; check pointer
|
||||||
|
push ecx
|
||||||
|
mov ax, cx
|
||||||
|
shr ecx, 16
|
||||||
|
imul eax, ecx
|
||||||
|
stdcall is_region_userspace, ebx, eax
|
||||||
|
pop ecx
|
||||||
|
jz sys_putimage.exit
|
||||||
|
|
||||||
mov eax, [CURRENT_TASK]
|
mov eax, [CURRENT_TASK]
|
||||||
shl eax, 8
|
shl eax, 8
|
||||||
add dx, word [eax+SLOT_BASE+APPDATA.wnd_clientbox.top]
|
add dx, word [eax+SLOT_BASE+APPDATA.wnd_clientbox.top]
|
||||||
@ -5193,6 +5202,9 @@ align 4
|
|||||||
|
|
||||||
syscall_writetext: ; WriteText
|
syscall_writetext: ; WriteText
|
||||||
|
|
||||||
|
stdcall is_region_userspace, edx, esi
|
||||||
|
jz .err
|
||||||
|
|
||||||
mov eax, [TASK_BASE]
|
mov eax, [TASK_BASE]
|
||||||
mov ebp, [eax-twdw+WDATA.box.left]
|
mov ebp, [eax-twdw+WDATA.box.left]
|
||||||
push esi
|
push esi
|
||||||
@ -5209,10 +5221,17 @@ align 4
|
|||||||
@@:
|
@@:
|
||||||
mov eax, edi
|
mov eax, edi
|
||||||
test ecx, 0x08000000 ; redirect the output to the user area
|
test ecx, 0x08000000 ; redirect the output to the user area
|
||||||
jnz dtext
|
jnz @f
|
||||||
xor edi, edi
|
xor edi, edi
|
||||||
jmp dtext
|
jmp dtext
|
||||||
|
|
||||||
|
@@: ; check pointer
|
||||||
|
stdcall is_region_userspace, edi, 0
|
||||||
|
jz .err
|
||||||
|
jmp dtext
|
||||||
|
.err:
|
||||||
|
ret
|
||||||
|
|
||||||
align 4
|
align 4
|
||||||
|
|
||||||
syscall_drawrect: ; DrawRect
|
syscall_drawrect: ; DrawRect
|
||||||
|
Loading…
Reference in New Issue
Block a user