diff options
| author | Wolfgang Kroworsch <wolfgang@kroworsch.de> | 2008-11-06 15:53:16 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-11-06 18:41:17 -0500 |
| commit | a564738c1c9c7b9ed696bf4116267789201ac8ac (patch) | |
| tree | e5bd2ee7c28e2831bea5c1727452978c76c1c108 /drivers/char | |
| parent | 2197d18ded232ef6eef63cce57b6b21eddf1b7b6 (diff) | |
vt: incomplete initialization of vc_tab_stop
Problem 1 (see patch below):
vc_tab_stop is declared as an array of 8 unsigned ints in struct
vc_data in include/linux/console_struct.h .
In drivers/char/vt.c only 5 of these 8 unsigned ints get initialized
leading to unintended tabulator placement on displays with more than
160 columns text.
Problem 2 (open):
Upcoming displays will have more than 256 columns of text leading to
invalid memory access in drivers/char/vt.c during tabulator
calculations:
if (vc->vc_tab_stop[vc->vc_x >> 5] & (1 << (vc->vc_x & 31)))
break;
Signed-off-by: Wolfgang Kroworsch <wolfgang@kroworsch.de>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/char')
| -rw-r--r-- | drivers/char/vt.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/drivers/char/vt.c b/drivers/char/vt.c index d8f83e26e4a..a5af6072e2b 100644 --- a/drivers/char/vt.c +++ b/drivers/char/vt.c | |||
| @@ -1644,7 +1644,10 @@ static void reset_terminal(struct vc_data *vc, int do_clear) | |||
| 1644 | vc->vc_tab_stop[1] = | 1644 | vc->vc_tab_stop[1] = |
| 1645 | vc->vc_tab_stop[2] = | 1645 | vc->vc_tab_stop[2] = |
| 1646 | vc->vc_tab_stop[3] = | 1646 | vc->vc_tab_stop[3] = |
| 1647 | vc->vc_tab_stop[4] = 0x01010101; | 1647 | vc->vc_tab_stop[4] = |
| 1648 | vc->vc_tab_stop[5] = | ||
| 1649 | vc->vc_tab_stop[6] = | ||
| 1650 | vc->vc_tab_stop[7] = 0x01010101; | ||
| 1648 | 1651 | ||
| 1649 | vc->vc_bell_pitch = DEFAULT_BELL_PITCH; | 1652 | vc->vc_bell_pitch = DEFAULT_BELL_PITCH; |
| 1650 | vc->vc_bell_duration = DEFAULT_BELL_DURATION; | 1653 | vc->vc_bell_duration = DEFAULT_BELL_DURATION; |
| @@ -1935,7 +1938,10 @@ static void do_con_trol(struct tty_struct *tty, struct vc_data *vc, int c) | |||
| 1935 | vc->vc_tab_stop[1] = | 1938 | vc->vc_tab_stop[1] = |
| 1936 | vc->vc_tab_stop[2] = | 1939 | vc->vc_tab_stop[2] = |
| 1937 | vc->vc_tab_stop[3] = | 1940 | vc->vc_tab_stop[3] = |
| 1938 | vc->vc_tab_stop[4] = 0; | 1941 | vc->vc_tab_stop[4] = |
| 1942 | vc->vc_tab_stop[5] = | ||
| 1943 | vc->vc_tab_stop[6] = | ||
| 1944 | vc->vc_tab_stop[7] = 0; | ||
| 1939 | } | 1945 | } |
| 1940 | return; | 1946 | return; |
| 1941 | case 'm': | 1947 | case 'm': |