git: 9c9d0d90512f - releng/12.2 - vt: bound buffer access in redraw optimization

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Ed Maste <emaste_at_FreeBSD.org>
Date: Tue, 11 Jan 2022 18:32:05 UTC
The branch releng/12.2 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=9c9d0d90512f0e5950b179d1a07f717ad7c8fe28

commit 9c9d0d90512f0e5950b179d1a07f717ad7c8fe28
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2021-09-22 18:41:00 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-01-10 18:04:06 +0000

    vt: bound buffer access in redraw optimization
    
    PR:             248628
    Reported by:    oleg
    Reviewed by:    cem, oleg (both earlier)
    Fixes:          ee97b2336aa4 ("Speed up vt(4) by keeping...")
    MFC after:      3 days
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D32059
    
    (cherry picked from commit dbc7ca59451561a179f9852642e13ef024169d84)
    (cherry picked from commit e4fcff8ee124f8faed2f1fcc1e15b7ae6906d4d7)
    
    Approved by:    so
    Security:       FreeBSD-SA-22:01.vt
---
 sys/dev/vt/hw/fb/vt_fb.c   | 6 ++++++
 sys/dev/vt/hw/vga/vt_vga.c | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/sys/dev/vt/hw/fb/vt_fb.c b/sys/dev/vt/hw/fb/vt_fb.c
index 62a52dd9e017..5c14be1c15ba 100644
--- a/sys/dev/vt/hw/fb/vt_fb.c
+++ b/sys/dev/vt/hw/fb/vt_fb.c
@@ -354,6 +354,9 @@ vt_fb_bitblt_text(struct vt_device *vd, const struct vt_window *vw,
 			    VTBUF_ISCURSOR(&vw->vw_buf, row, col), &fg, &bg);
 
 			z = row * PIXEL_WIDTH(VT_FB_MAX_WIDTH) + col;
+			if (z >= PIXEL_HEIGHT(VT_FB_MAX_HEIGHT) *
+			    PIXEL_WIDTH(VT_FB_MAX_WIDTH))
+				continue;
 			if (vd->vd_drawn && (vd->vd_drawn[z] == c) &&
 			    vd->vd_drawnfg && (vd->vd_drawnfg[z] == fg) &&
 			    vd->vd_drawnbg && (vd->vd_drawnbg[z] == bg))
@@ -404,6 +407,9 @@ vt_fb_invalidate_text(struct vt_device *vd, const term_rect_t *area)
 		for (col = area->tr_begin.tp_col; col < area->tr_end.tp_col;
 		    ++col) {
 			z = row * PIXEL_WIDTH(VT_FB_MAX_WIDTH) + col;
+			if (z >= PIXEL_HEIGHT(VT_FB_MAX_HEIGHT) *
+			    PIXEL_WIDTH(VT_FB_MAX_WIDTH))
+				continue;
 			if (vd->vd_drawn)
 				vd->vd_drawn[z] = 0;
 			if (vd->vd_drawnfg)
diff --git a/sys/dev/vt/hw/vga/vt_vga.c b/sys/dev/vt/hw/vga/vt_vga.c
index 88a9b1c47338..563867399e53 100644
--- a/sys/dev/vt/hw/vga/vt_vga.c
+++ b/sys/dev/vt/hw/vga/vt_vga.c
@@ -888,6 +888,9 @@ vga_bitblt_text_txtmode(struct vt_device *vd, const struct vt_window *vw,
 			    &fg, &bg);
 
 			z = row * PIXEL_WIDTH(VT_FB_MAX_WIDTH) + col;
+			if (z >= PIXEL_HEIGHT(VT_FB_MAX_HEIGHT) *
+			    PIXEL_WIDTH(VT_FB_MAX_WIDTH))
+				continue;
 			if (vd->vd_drawn && (vd->vd_drawn[z] == c) &&
 			    vd->vd_drawnfg && (vd->vd_drawnfg[z] == fg) &&
 			    vd->vd_drawnbg && (vd->vd_drawnbg[z] == bg))
@@ -941,6 +944,9 @@ vga_invalidate_text(struct vt_device *vd, const term_rect_t *area)
 		    col < area->tr_end.tp_col;
 		    ++col) {
 			z = row * PIXEL_WIDTH(VT_FB_MAX_WIDTH) + col;
+			if (z >= PIXEL_HEIGHT(VT_FB_MAX_HEIGHT) *
+			    PIXEL_WIDTH(VT_FB_MAX_WIDTH))
+				continue;
 			if (vd->vd_drawn)
 				vd->vd_drawn[z] = 0;
 			if (vd->vd_drawnfg)