Module Name: src Committed By: nat Date: Thu May 11 23:26:48 UTC 2017
Modified Files: src/sys/dev: audio.c Log Message: Improved overflow test for audio_mmap. Ok riastradh@. To generate a diff of this commit: cvs rdiff -u -r1.338 -r1.339 src/sys/dev/audio.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/dev/audio.c diff -u src/sys/dev/audio.c:1.338 src/sys/dev/audio.c:1.339 --- src/sys/dev/audio.c:1.338 Thu May 11 23:20:38 2017 +++ src/sys/dev/audio.c Thu May 11 23:26:48 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: audio.c,v 1.338 2017/05/11 23:20:38 nat Exp $ */ +/* $NetBSD: audio.c,v 1.339 2017/05/11 23:26:48 nat Exp $ */ /*- * Copyright (c) 2016 Nathanial Sloss <nathanialsl...@yahoo.com.au> @@ -148,7 +148,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.338 2017/05/11 23:20:38 nat Exp $"); +__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.339 2017/05/11 23:26:48 nat Exp $"); #include "audio.h" #if NAUDIO > 0 @@ -3407,10 +3407,7 @@ audio_mmap(struct audio_softc *sc, off_t if (*offp < 0) return EINVAL; - if ((off_t)(*offp + len) < *offp) { - /* no offset wrapping */ - return EOVERFLOW; - } + #if 0 /* XXX * The idea here was to use the protection to determine if @@ -3435,7 +3432,7 @@ audio_mmap(struct audio_softc *sc, off_t cb = &vc->sc_mpr; #endif - if ((u_int)*offp >= cb->s.bufsize) + if (len > cb->s.bufsize || *offp > cb->s.bufsize - len) return EOVERFLOW; if (!cb->mmapped) {