Module Name: src
Committed By: nat
Date: Thu May 11 23:26:48 UTC 2017
Modified Files:
src/sys/dev: audio.c
Log Message:
Improved overflow test for audio_mmap.
Ok riastradh@.
To generate a diff of this commit:
cvs rdiff -u -r1.338 -r1.339 src/sys/dev/audio.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/audio.c
diff -u src/sys/dev/audio.c:1.338 src/sys/dev/audio.c:1.339
--- src/sys/dev/audio.c:1.338 Thu May 11 23:20:38 2017
+++ src/sys/dev/audio.c Thu May 11 23:26:48 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: audio.c,v 1.338 2017/05/11 23:20:38 nat Exp $ */
+/* $NetBSD: audio.c,v 1.339 2017/05/11 23:26:48 nat Exp $ */
/*-
* Copyright (c) 2016 Nathanial Sloss <nathanialsl...@yahoo.com.au>
@@ -148,7 +148,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.338 2017/05/11 23:20:38 nat Exp $");
+__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.339 2017/05/11 23:26:48 nat Exp $");
#include "audio.h"
#if NAUDIO > 0
@@ -3407,10 +3407,7 @@ audio_mmap(struct audio_softc *sc, off_t
if (*offp < 0)
return EINVAL;
- if ((off_t)(*offp + len) < *offp) {
- /* no offset wrapping */
- return EOVERFLOW;
- }
+
#if 0
/* XXX
* The idea here was to use the protection to determine if
@@ -3435,7 +3432,7 @@ audio_mmap(struct audio_softc *sc, off_t
cb = &vc->sc_mpr;
#endif
- if ((u_int)*offp >= cb->s.bufsize)
+ if (len > cb->s.bufsize || *offp > cb->s.bufsize - len)
return EOVERFLOW;
if (!cb->mmapped) {
