aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAntonino A. Daplas <adaplas@gmail.com>2005-09-06 18:17:52 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2005-09-07 19:57:36 -0400
commit414edcd32aa54bad8827e7c74cace168006c5fab (patch)
tree4c4861b54b2c1529c4677e6d31bb6027568aaa1a
parenteed74dfcd48101d259012ac08d29061eea500249 (diff)
[PATCH] vt: fix possible memory corruption in complement_pos
Based on a patch from Andr Pereira de Almeida <andre@cachola.com.br> It might be possible for the saved pointer (*p) to become invalid in between vc_resizes, so saving the screen offset instead of the screen pointer is saner. This bug is very hard to trigger though, but Andre probably did, if he's submitting this patch. Anyway, with Andre's patch, it's still possible for the offsets to be still illegal, if the new screen size is smaller than the old one. So I've also added checks if the offsets are still within the screenbuffer size. Signed-off-by: Antonino Daplas <adaplas@pol.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--drivers/char/vt.c17
1 files changed, 11 insertions, 6 deletions
diff --git a/drivers/char/vt.c b/drivers/char/vt.c
index 27b6c297906a..b8d0c290b0db 100644
--- a/drivers/char/vt.c
+++ b/drivers/char/vt.c
@@ -434,21 +434,25 @@ void invert_screen(struct vc_data *vc, int offset, int count, int viewed)
434/* used by selection: complement pointer position */ 434/* used by selection: complement pointer position */
435void complement_pos(struct vc_data *vc, int offset) 435void complement_pos(struct vc_data *vc, int offset)
436{ 436{
437 static unsigned short *p; 437 static int old_offset = -1;
438 static unsigned short old; 438 static unsigned short old;
439 static unsigned short oldx, oldy; 439 static unsigned short oldx, oldy;
440 440
441 WARN_CONSOLE_UNLOCKED(); 441 WARN_CONSOLE_UNLOCKED();
442 442
443 if (p) { 443 if (old_offset != -1 && old_offset >= 0 &&
444 scr_writew(old, p); 444 old_offset < vc->vc_screenbuf_size) {
445 scr_writew(old, screenpos(vc, old_offset, 1));
445 if (DO_UPDATE(vc)) 446 if (DO_UPDATE(vc))
446 vc->vc_sw->con_putc(vc, old, oldy, oldx); 447 vc->vc_sw->con_putc(vc, old, oldy, oldx);
447 } 448 }
448 if (offset == -1) 449
449 p = NULL; 450 old_offset = offset;
450 else { 451
452 if (offset != -1 && offset >= 0 &&
453 offset < vc->vc_screenbuf_size) {
451 unsigned short new; 454 unsigned short new;
455 unsigned short *p;
452 p = screenpos(vc, offset, 1); 456 p = screenpos(vc, offset, 1);
453 old = scr_readw(p); 457 old = scr_readw(p);
454 new = old ^ vc->vc_complement_mask; 458 new = old ^ vc->vc_complement_mask;
@@ -459,6 +463,7 @@ void complement_pos(struct vc_data *vc, int offset)
459 vc->vc_sw->con_putc(vc, new, oldy, oldx); 463 vc->vc_sw->con_putc(vc, new, oldy, oldx);
460 } 464 }
461 } 465 }
466
462} 467}
463 468
464static void insert_char(struct vc_data *vc, unsigned int nr) 469static void insert_char(struct vc_data *vc, unsigned int nr)