Hi,
On 29. 07. 20, 9:53, 张云海 wrote:
> This patch dosen't fix the issue, the check should be in the loop.
>
> The change of the VT sze is before vgacon_scrollback_update, not in the
> meantime.
>
> Let's consider the following situation:
> suppose:
> vgacon_scrollback_cur->size is 65440
> vgacon_scrollback_cur->tail is 64960
> c->vc_size_row is 160
> count is 5
>
> Reset c->vc_size_row to 200 by VT_RESIZE, then call
> vgacon_scrollback_update.
>
> This will pass the check, since (vgacon_scrollback_cur->tail +
> c->vc_size_row)
> is 65160 which is less then vgacon_scrollback_cur->size(65440).
>
> However, in the 3rd iteration of the loop, vgacon_scrollback_cur->tail
> is update
> to 65360, the memcpy will overflow.
But the loop checks for the overflow:
if (vgacon_scrollback_cur->tail >= vgacon_scrollback_cur->size)
vgacon_scrollback_cur->tail = 0;
So the first 2 iterations would write to the end of the buffer and this
3rd one should have zeroed ->tail.
thanks,
--
js
suse labs
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
