The patch titled
vt: fix possible memory corruption in complement_pos
has been added to the -mm tree. Its filename is
vt-fix-possible-memory-corruption-in-complement_pos.patch
Patches currently in -mm which might be from [EMAIL PROTECTED] are
vt-fix-possible-memory-corruption-in-complement_pos.patch
fbdev-add-fbset-a-support.patch
vesafb-add-blanking-support.patch
fbdev-resurrect-hooks-to-get-edid-from-firmware.patch
fbdev-resurrect-hooks-to-get-edid-from-firmware-fix.patch
savagefb-driver-updates.patch
nvidiafb-fallback-to-firmware-edid.patch
fbdev-fix-greater-than-1-bit-monochrome-color-handling.patch
fbcon-saner-16-color-to-4-color-conversion.patch
console-fix-buffer-copy-on-vc-resize.patch
radeonfb_old-fix-broken-link.patch
fbdev-update-framebuffer-feature-list.patch
From: "Antonino A. Daplas" <[EMAIL PROTECTED]>
Based on a patch from Andr Pereira de Almeida <[EMAIL PROTECTED]>
It might be possible for the saved pointer (*p) to become invalid in
between vc_resizes, so saving the screen offset instead of the screen
pointer is saner.
This bug is very hard to trigger though, but Andre probably did, if he's
submitting this patch. Anyway, with Andre's patch, it's still possible for
the offsets to be still illegal, if the new screen size is smaller than the
old one. So I've also added checks if the offsets are still within the
screenbuffer size.
Signed-off-by: Antonino Daplas <[EMAIL PROTECTED]>
Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
---
drivers/char/vt.c | 17 +++++++++++------
1 files changed, 11 insertions(+), 6 deletions(-)
diff -puN drivers/char/vt.c~vt-fix-possible-memory-corruption-in-complement_pos
drivers/char/vt.c
--- devel/drivers/char/vt.c~vt-fix-possible-memory-corruption-in-complement_pos
2005-08-30 17:29:12.000000000 -0700
+++ devel-akpm/drivers/char/vt.c 2005-08-30 17:29:12.000000000 -0700
@@ -438,21 +438,25 @@ void invert_screen(struct vc_data *vc, i
/* used by selection: complement pointer position */
void complement_pos(struct vc_data *vc, int offset)
{
- static unsigned short *p;
+ static int old_offset = -1;
static unsigned short old;
static unsigned short oldx, oldy;
WARN_CONSOLE_UNLOCKED();
- if (p) {
- scr_writew(old, p);
+ if (old_offset != -1 && old_offset >= 0 &&
+ old_offset < vc->vc_screenbuf_size) {
+ scr_writew(old, screenpos(vc, old_offset, 1));
if (DO_UPDATE(vc))
vc->vc_sw->con_putc(vc, old, oldy, oldx);
}
- if (offset == -1)
- p = NULL;
- else {
+
+ old_offset = offset;
+
+ if (offset != -1 && offset >= 0 &&
+ offset < vc->vc_screenbuf_size) {
unsigned short new;
+ unsigned short *p;
p = screenpos(vc, offset, 1);
old = scr_readw(p);
new = old ^ vc->vc_complement_mask;
@@ -463,6 +467,7 @@ void complement_pos(struct vc_data *vc,
vc->vc_sw->con_putc(vc, new, oldy, oldx);
}
}
+
}
static void insert_char(struct vc_data *vc, unsigned int nr)
_
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
