diff options
| author | Ed Maste <emaste@FreeBSD.org> | 2021-09-22 18:41:00 +0000 |
|---|---|---|
| committer | Ed Maste <emaste@FreeBSD.org> | 2022-01-10 14:51:54 +0000 |
| commit | 3e0a1e12416996b63949de2b11ca74a0e0d70bd5 (patch) | |
| tree | edc51f1976dc82b82fcb04f947ffd3696cbfd95d | |
| parent | 4378aee9f82fa568f3efb34afa17b48927c06864 (diff) | |
| download | src-3e0a1e12416996b63949de2b11ca74a0e0d70bd5.tar.gz src-3e0a1e12416996b63949de2b11ca74a0e0d70bd5.zip | |
vt: bound buffer access in redraw optimization
PR: 248628
Reported by: oleg
Reviewed by: cem, oleg (both earlier)
Fixes: ee97b2336aa4 ("Speed up vt(4) by keeping...")
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32059
(cherry picked from commit dbc7ca59451561a179f9852642e13ef024169d84)
(cherry picked from commit e4fcff8ee124f8faed2f1fcc1e15b7ae6906d4d7)
Approved by: so
Security: FreeBSD-SA-22:01.vt
| -rw-r--r-- | sys/dev/vt/hw/fb/vt_fb.c | 6 | ||||
| -rw-r--r-- | sys/dev/vt/hw/vga/vt_vga.c | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/sys/dev/vt/hw/fb/vt_fb.c b/sys/dev/vt/hw/fb/vt_fb.c index 01850f789d29..c535d1b753c9 100644 --- a/sys/dev/vt/hw/fb/vt_fb.c +++ b/sys/dev/vt/hw/fb/vt_fb.c @@ -355,6 +355,9 @@ vt_fb_bitblt_text(struct vt_device *vd, const struct vt_window *vw, VTBUF_ISCURSOR(&vw->vw_buf, row, col), &fg, &bg); z = row * PIXEL_WIDTH(VT_FB_MAX_WIDTH) + col; + if (z >= PIXEL_HEIGHT(VT_FB_MAX_HEIGHT) * + PIXEL_WIDTH(VT_FB_MAX_WIDTH)) + continue; if (vd->vd_drawn && (vd->vd_drawn[z] == c) && vd->vd_drawnfg && (vd->vd_drawnfg[z] == fg) && vd->vd_drawnbg && (vd->vd_drawnbg[z] == bg)) @@ -405,6 +408,9 @@ vt_fb_invalidate_text(struct vt_device *vd, const term_rect_t *area) for (col = area->tr_begin.tp_col; col < area->tr_end.tp_col; ++col) { z = row * PIXEL_WIDTH(VT_FB_MAX_WIDTH) + col; + if (z >= PIXEL_HEIGHT(VT_FB_MAX_HEIGHT) * + PIXEL_WIDTH(VT_FB_MAX_WIDTH)) + continue; if (vd->vd_drawn) vd->vd_drawn[z] = 0; if (vd->vd_drawnfg) diff --git a/sys/dev/vt/hw/vga/vt_vga.c b/sys/dev/vt/hw/vga/vt_vga.c index 88a9b1c47338..563867399e53 100644 --- a/sys/dev/vt/hw/vga/vt_vga.c +++ b/sys/dev/vt/hw/vga/vt_vga.c @@ -888,6 +888,9 @@ vga_bitblt_text_txtmode(struct vt_device *vd, const struct vt_window *vw, &fg, &bg); z = row * PIXEL_WIDTH(VT_FB_MAX_WIDTH) + col; + if (z >= PIXEL_HEIGHT(VT_FB_MAX_HEIGHT) * + PIXEL_WIDTH(VT_FB_MAX_WIDTH)) + continue; if (vd->vd_drawn && (vd->vd_drawn[z] == c) && vd->vd_drawnfg && (vd->vd_drawnfg[z] == fg) && vd->vd_drawnbg && (vd->vd_drawnbg[z] == bg)) @@ -941,6 +944,9 @@ vga_invalidate_text(struct vt_device *vd, const term_rect_t *area) col < area->tr_end.tp_col; ++col) { z = row * PIXEL_WIDTH(VT_FB_MAX_WIDTH) + col; + if (z >= PIXEL_HEIGHT(VT_FB_MAX_HEIGHT) * + PIXEL_WIDTH(VT_FB_MAX_WIDTH)) + continue; if (vd->vd_drawn) vd->vd_drawn[z] = 0; if (vd->vd_drawnfg) |