From 2fb36a627760f0924a9c8b1cc54b52a10edefc0f Mon Sep 17 00:00:00 2001 From: =?utf8?q?Jan=20Ekstr=C3=B6m?= Date: Thu, 6 Nov 2014 15:03:58 +0200 Subject: [PATCH] system-controller: fix out-of-bounds access in screen.c Change-Id: I83c31b2a0beaf4a15973bcc1961474de826c6fdb --- .../system-controller/resource-manager/screen.c | 42 ++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) diff --git a/src/plugins/system-controller/resource-manager/screen.c b/src/plugins/system-controller/resource-manager/screen.c index 1dafcd0..1dc23c7 100644 --- a/src/plugins/system-controller/resource-manager/screen.c +++ b/src/plugins/system-controller/resource-manager/screen.c @@ -1286,12 +1286,20 @@ static void screen_grant_resources(mrp_resmgr_screen_t *screen, zoneid = mrp_zone_get_id(zone); zonename = mrp_zone_get_name(zone); - areas = screen->zones + zoneid; - grantid = ++(screen->grantids[zoneid]); + + /* We got a nonsense zone id */ + if (zoneid >= MRP_ZONE_MAX) { + mrp_debug("invalid zoneid '" PRIu32 "' is larger than MRP_ZONE_MAX (%d), " + "bailing", zoneid, MRP_ZONE_MAX); + return; + } if (!zonename) zonename = ""; + areas = screen->zones + zoneid; + grantid = ++(screen->grantids[zoneid]); + mrp_list_foreach(areas, aentry, an) { area = mrp_list_entry(aentry, mrp_resmgr_screen_area_t, link); resources = &area->resources; @@ -1341,6 +1349,14 @@ static void screen_queue_events(mrp_resmgr_screen_t *screen, mrp_zone_t *zone) zoneid = mrp_zone_get_id(zone); zonename = mrp_zone_get_name(zone); + + /* We got a nonsense zone id */ + if (zoneid >= MRP_ZONE_MAX) { + mrp_debug("invalid zoneid '" PRIu32 "' is larger than MRP_ZONE_MAX (%d), " + "bailing", zoneid, MRP_ZONE_MAX); + return; + } + areas = screen->zones + zoneid; grantid = screen->grantids[zoneid]; @@ -1478,6 +1494,13 @@ static void screen_init(mrp_zone_t *zone, void *userdata) zoneid = mrp_zone_get_id(zone); zonename = mrp_zone_get_name(zone); + /* We got a nonsense zone id */ + if (zoneid >= MRP_ZONE_MAX) { + mrp_debug("invalid zoneid '" PRIu32 "' is larger than MRP_ZONE_MAX (%d), " + "bailing", zoneid, MRP_ZONE_MAX); + return; + } + if (!zonename) zonename = ""; @@ -1507,6 +1530,14 @@ static bool screen_allocate(mrp_zone_t *zone, MRP_ASSERT(zone && res && screen && screen->resmgr, "invalid argument"); zoneid = mrp_zone_get_id(zone); + + /* We got a nonsense zone id */ + if (zoneid >= MRP_ZONE_MAX) { + mrp_debug("invalid zoneid '" PRIu32 "' is larger than MRP_ZONE_MAX (%d), " + "bailing", zoneid, MRP_ZONE_MAX); + return FALSE; + } + grantid = screen->grantids[zoneid]; if (!(zonename = mrp_zone_get_name(zone))) @@ -1577,6 +1608,13 @@ static void screen_commit(mrp_zone_t *zone, void *userdata) zoneid = mrp_zone_get_id(zone); + /* We got a nonsense zone id */ + if (zoneid >= MRP_ZONE_MAX) { + mrp_debug("invalid zoneid '" PRIu32 "' is larger than MRP_ZONE_MAX (%d), " + "bailing", zoneid, MRP_ZONE_MAX); + return; + } + if (!(zonename = mrp_zone_get_name(zone))) zonename = ""; -- 2.7.4