You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nuttx.apache.org by pk...@apache.org on 2023/01/04 15:44:08 UTC
[nuttx] 02/02: fs: Check offset and length more carefully in mmap callback
This is an automated email from the ASF dual-hosted git repository.
pkarashchenko pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nuttx.git
commit 7179d57026696f97393e79a161ad945633c8150b
Author: Xiang Xiao <xi...@xiaomi.com>
AuthorDate: Tue Jan 3 01:27:25 2023 +0800
fs: Check offset and length more carefully in mmap callback
Signed-off-by: Xiang Xiao <xi...@xiaomi.com>
---
drivers/video/fb.c | 3 ++-
drivers/video/video.c | 19 ++++++++++++++-----
fs/romfs/fs_romfs.c | 6 +++---
fs/rpmsgfs/rpmsgfs.c | 8 ++++----
fs/tmpfs/fs_tmpfs.c | 3 ++-
5 files changed, 25 insertions(+), 14 deletions(-)
diff --git a/drivers/video/fb.c b/drivers/video/fb.c
index 05f86e81de..9a0a764ca7 100644
--- a/drivers/video/fb.c
+++ b/drivers/video/fb.c
@@ -686,7 +686,8 @@ static int fb_mmap(FAR struct file *filep, FAR struct mm_map_entry_s *map)
/* Return the address corresponding to the start of frame buffer. */
- if (map->offset + map->length <= fb->fblen)
+ if (map->offset >= 0 && map->offset < fb->fblen &&
+ map->length && map->offset + map->length <= fb->fblen)
{
map->vaddr = (FAR char *)fb->fbmem + map->offset;
ret = OK;
diff --git a/drivers/video/video.c b/drivers/video/video.c
index 7d6612ba43..3c45408603 100644
--- a/drivers/video/video.c
+++ b/drivers/video/video.c
@@ -1582,6 +1582,12 @@ static size_t get_bufsize(FAR video_format_t *vf)
}
}
+static size_t get_heapsize(FAR video_type_inf_t *type_inf)
+{
+ return type_inf->bufinf.container_size *
+ get_bufsize(&type_inf->fmt[VIDEO_FMT_MAIN]);
+}
+
static int video_try_fmt(FAR struct video_mng_s *priv,
FAR struct v4l2_format *v4l2)
{
@@ -3195,13 +3201,16 @@ static int video_ioctl(FAR struct file *filep, int cmd, unsigned long arg)
static int video_mmap(FAR struct file *filep, FAR struct mm_map_entry_s *map)
{
- FAR struct inode *inode = filep->f_inode;
- FAR video_mng_t *priv = (FAR video_mng_t *)inode->i_private;
- int ret = -EINVAL;
+ FAR struct inode *inode = filep->f_inode;
+ FAR video_mng_t *priv = (FAR video_mng_t *)inode->i_private;
+ FAR video_type_inf_t *type_inf = &priv->video_inf;
+ size_t heapsize = get_heapsize(type_inf);
+ int ret = -EINVAL;
- if (map)
+ if (map->offset >= 0 && map->offset < heapsize &&
+ map->length && map->offset + map->length <= heapsize)
{
- map->vaddr = priv->video_inf.bufheap + map->offset;
+ map->vaddr = type_inf->bufheap + map->offset;
ret = OK;
}
diff --git a/fs/romfs/fs_romfs.c b/fs/romfs/fs_romfs.c
index 10e9cd25c5..bafcdd25bd 100644
--- a/fs/romfs/fs_romfs.c
+++ b/fs/romfs/fs_romfs.c
@@ -580,7 +580,7 @@ errout_with_lock:
static int romfs_ioctl(FAR struct file *filep, int cmd, unsigned long arg)
{
- FAR struct romfs_file_s *rf;
+ FAR struct romfs_file_s *rf;
finfo("cmd: %d arg: %08lx\n", cmd, arg);
@@ -625,8 +625,8 @@ static int romfs_mmap(FAR struct file *filep, FAR struct mm_map_entry_s *map)
* the file.
*/
- if (map && rm && rm->rm_xipbase && rf &&
- map->offset + map->length <= rf->rf_size)
+ if (rm->rm_xipbase && map->offset >= 0 && map->offset < rf->rf_size &&
+ map->length != 0 && map->offset + map->length <= rf->rf_size)
{
map->vaddr = rm->rm_xipbase + rf->rf_startoffset + map->offset;
ret = OK;
diff --git a/fs/rpmsgfs/rpmsgfs.c b/fs/rpmsgfs/rpmsgfs.c
index 7f0c4f69cc..63cfc29003 100644
--- a/fs/rpmsgfs/rpmsgfs.c
+++ b/fs/rpmsgfs/rpmsgfs.c
@@ -109,7 +109,7 @@ static int rpmsgfs_fstat(FAR const struct file *filep,
FAR struct stat *buf);
static int rpmsgfs_fchstat(FAR const struct file *filep,
FAR const struct stat *buf, int flags);
-static int rpmsgfs_ftruncate(FAR struct file *filep,
+static int rpmsgfs_truncate(FAR struct file *filep,
off_t length);
static int rpmsgfs_opendir(FAR struct inode *mountpt,
@@ -162,7 +162,7 @@ const struct mountpt_operations rpmsgfs_operations =
rpmsgfs_seek, /* seek */
rpmsgfs_ioctl, /* ioctl */
NULL, /* mmap */
- rpmsgfs_ftruncate, /* ftruncate */
+ rpmsgfs_truncate, /* truncate */
rpmsgfs_sync, /* sync */
rpmsgfs_dup, /* dup */
@@ -804,7 +804,7 @@ static int rpmsgfs_fchstat(FAR const struct file *filep,
}
/****************************************************************************
- * Name: rpmsgfs_ftruncate
+ * Name: rpmsgfs_truncate
*
* Description:
* Set the length of the open, regular file associated with the file
@@ -812,7 +812,7 @@ static int rpmsgfs_fchstat(FAR const struct file *filep,
*
****************************************************************************/
-static int rpmsgfs_ftruncate(FAR struct file *filep, off_t length)
+static int rpmsgfs_truncate(FAR struct file *filep, off_t length)
{
FAR struct inode *inode;
FAR struct rpmsgfs_mountpt_s *fs;
diff --git a/fs/tmpfs/fs_tmpfs.c b/fs/tmpfs/fs_tmpfs.c
index d152d69293..56dbd39fa5 100644
--- a/fs/tmpfs/fs_tmpfs.c
+++ b/fs/tmpfs/fs_tmpfs.c
@@ -1655,7 +1655,8 @@ static int tmpfs_mmap(FAR struct file *filep, FAR struct mm_map_entry_s *map)
DEBUGASSERT(tfo != NULL);
- if (map && map->offset + map->length <= tfo->tfo_size)
+ if (map->offset >= 0 && map->offset < tfo->tfo_size &&
+ map->length && map->offset + map->length <= tfo->tfo_size)
{
map->vaddr = tfo->tfo_data + map->offset;
ret = OK;