From eb12fd1d111a565254733412fcac9de85ba7d146 Mon Sep 17 00:00:00 2001 From: Matthew Dillon Date: Fri, 13 Aug 2004 02:45:37 +0000 Subject: [PATCH] The base/count bounds checking was insufficient, leading to a kernel memory visibility hole. Note: additional cast to unsigned to catch signed overflows added by Matt Dillon Submitted-by: =?ISO-8859-1?Q?Christer_=D6berg?= --- sys/dev/video/fb/vga.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/dev/video/fb/vga.c b/sys/dev/video/fb/vga.c index 29aade15d0..405ba7a137 100644 --- a/sys/dev/video/fb/vga.c +++ b/sys/dev/video/fb/vga.c @@ -27,7 +27,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * $FreeBSD: src/sys/dev/fb/vga.c,v 1.9.2.1 2001/08/11 02:58:44 yokota Exp $ - * $DragonFly: src/sys/dev/video/fb/vga.c,v 1.7 2004/02/24 19:42:19 joerg Exp $ + * $DragonFly: src/sys/dev/video/fb/vga.c,v 1.8 2004/08/13 02:45:37 dillon Exp $ */ #include "opt_vga.h" @@ -2848,7 +2848,7 @@ get_palette(video_adapter_t *adp, int base, int count, u_char *g; u_char *b; - if ((base < 0) || (base >= 256) || (base + count > 256)) + if (base < 0 || base >= 256 || count < 0 || (u_int)(base + count) > 256) return EINVAL; r = malloc(count*3, M_DEVBUF, M_WAITOK); @@ -2877,7 +2877,7 @@ set_palette(video_adapter_t *adp, int base, int count, u_char *b; int err; - if ((base < 0) || (base >= 256) || (base + count > 256)) + if (base < 0 || base >= 256 || count < 0 || (u_int)(base + count) > 256) return EINVAL; r = malloc(count*3, M_DEVBUF, M_WAITOK); -- 2.41.0