sergiotarxz/nuttx
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fs: Check offset and length more carefully in mmap callback

Browse Source 
Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>
This commit is contained in:
Xiang Xiao 2023-01-03 01:27:25 +08:00 committed by Petro Karashchenko
parent b0a0ba3ad7
commit 7179d57026
5 changed files with 25 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
drivers/video/fb.c
View File

@ -686,7 +686,8 @@ static int fb_mmap(FAR struct file *filep, FAR struct mm_map_entry_s *map)
/* Return the address corresponding to the start of frame buffer. */ /* Return the address corresponding to the start of frame buffer. */
if (map->offset + map->length <= fb->fblen) if (map->offset >= 0 && map->offset < fb->fblen &&
map->length && map->offset + map->length <= fb->fblen)
{ {
map->vaddr = (FAR char *)fb->fbmem + map->offset; map->vaddr = (FAR char *)fb->fbmem + map->offset;
ret = OK; ret = OK;

19
drivers/video/video.c
View File

@ -1582,6 +1582,12 @@ static size_t get_bufsize(FAR video_format_t *vf)
} }
} }
static size_t get_heapsize(FAR video_type_inf_t *type_inf)
{
return type_inf->bufinf.container_size *
get_bufsize(&type_inf->fmt[VIDEO_FMT_MAIN]);
}
static int video_try_fmt(FAR struct video_mng_s *priv, static int video_try_fmt(FAR struct video_mng_s *priv,
FAR struct v4l2_format *v4l2) FAR struct v4l2_format *v4l2)
{ {
@ -3195,13 +3201,16 @@ static int video_ioctl(FAR struct file *filep, int cmd, unsigned long arg)
static int video_mmap(FAR struct file *filep, FAR struct mm_map_entry_s *map) static int video_mmap(FAR struct file *filep, FAR struct mm_map_entry_s *map)
{ {
FAR struct inode *inode = filep->f_inode; FAR struct inode *inode = filep->f_inode;
FAR video_mng_t *priv = (FAR video_mng_t *)inode->i_private; FAR video_mng_t *priv = (FAR video_mng_t *)inode->i_private;
int ret = -EINVAL; FAR video_type_inf_t *type_inf = &priv->video_inf;
size_t heapsize = get_heapsize(type_inf);
int ret = -EINVAL;
if (map) if (map->offset >= 0 && map->offset < heapsize &&
map->length && map->offset + map->length <= heapsize)
{ {
map->vaddr = priv->video_inf.bufheap + map->offset; map->vaddr = type_inf->bufheap + map->offset;
ret = OK; ret = OK;
} }

6
fs/romfs/fs_romfs.c
View File

@ -580,7 +580,7 @@ errout_with_lock:
static int romfs_ioctl(FAR struct file *filep, int cmd, unsigned long arg) static int romfs_ioctl(FAR struct file *filep, int cmd, unsigned long arg)
{ {
FAR struct romfs_file_s *rf; FAR struct romfs_file_s *rf;
finfo("cmd: %d arg: %08lx\n", cmd, arg); finfo("cmd: %d arg: %08lx\n", cmd, arg);
@ -625,8 +625,8 @@ static int romfs_mmap(FAR struct file *filep, FAR struct mm_map_entry_s *map)
* the file. * the file.
*/ */
if (map && rm && rm->rm_xipbase && rf && if (rm->rm_xipbase && map->offset >= 0 && map->offset < rf->rf_size &&
map->offset + map->length <= rf->rf_size) map->length != 0 && map->offset + map->length <= rf->rf_size)
{ {
map->vaddr = rm->rm_xipbase + rf->rf_startoffset + map->offset; map->vaddr = rm->rm_xipbase + rf->rf_startoffset + map->offset;
ret = OK; ret = OK;

8
fs/rpmsgfs/rpmsgfs.c
View File

@ -109,7 +109,7 @@ static int rpmsgfs_fstat(FAR const struct file *filep,
FAR struct stat *buf); FAR struct stat *buf);
static int rpmsgfs_fchstat(FAR const struct file *filep, static int rpmsgfs_fchstat(FAR const struct file *filep,
FAR const struct stat *buf, int flags); FAR const struct stat *buf, int flags);
static int rpmsgfs_ftruncate(FAR struct file *filep, static int rpmsgfs_truncate(FAR struct file *filep,
off_t length); off_t length);
static int rpmsgfs_opendir(FAR struct inode *mountpt, static int rpmsgfs_opendir(FAR struct inode *mountpt,
@ -162,7 +162,7 @@ const struct mountpt_operations rpmsgfs_operations =
rpmsgfs_seek, /* seek */ rpmsgfs_seek, /* seek */
rpmsgfs_ioctl, /* ioctl */ rpmsgfs_ioctl, /* ioctl */
NULL, /* mmap */ NULL, /* mmap */
rpmsgfs_ftruncate, /* ftruncate */ rpmsgfs_truncate, /* truncate */
rpmsgfs_sync, /* sync */ rpmsgfs_sync, /* sync */
rpmsgfs_dup, /* dup */ rpmsgfs_dup, /* dup */
@ -804,7 +804,7 @@ static int rpmsgfs_fchstat(FAR const struct file *filep,
} }
/**************************************************************************** /****************************************************************************
* Name: rpmsgfs_ftruncate * Name: rpmsgfs_truncate
* *
* Description: * Description:
* Set the length of the open, regular file associated with the file * Set the length of the open, regular file associated with the file
@ -812,7 +812,7 @@ static int rpmsgfs_fchstat(FAR const struct file *filep,
* *
****************************************************************************/ ****************************************************************************/
static int rpmsgfs_ftruncate(FAR struct file *filep, off_t length) static int rpmsgfs_truncate(FAR struct file *filep, off_t length)
{ {
FAR struct inode *inode; FAR struct inode *inode;
FAR struct rpmsgfs_mountpt_s *fs; FAR struct rpmsgfs_mountpt_s *fs;

3
fs/tmpfs/fs_tmpfs.c
View File

@ -1655,7 +1655,8 @@ static int tmpfs_mmap(FAR struct file *filep, FAR struct mm_map_entry_s *map)
DEBUGASSERT(tfo != NULL); DEBUGASSERT(tfo != NULL);
if (map && map->offset + map->length <= tfo->tfo_size) if (map->offset >= 0 && map->offset < tfo->tfo_size &&
map->length && map->offset + map->length <= tfo->tfo_size)
{ {
map->vaddr = tfo->tfo_data + map->offset; map->vaddr = tfo->tfo_data + map->offset;
ret = OK; ret = OK;