Some patches against the devel branch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Stas, Bart,
    Here are some patches I made against today's devel branch. I had no 
specific bug to fix, but just wanted to fix some minor bounds checks and 
initialisation issues. All compile successfully, but I have very few DOS 
programs to exercise Dosemu properly.

Hope it helps,


Andrew
>From b785e25366a53a40f97f587443ee123e5061b8cc Mon Sep 17 00:00:00 2001
From: Andrew Bird <ajb@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 28 Mar 2014 14:08:29 +0000
Subject: [PATCH 1/8] EMM: Fix potential array overrun.

The maximum number of EMM handles is defined as 255 and consequently its
array size which gives valid values of 0..254. The code checks for out
of bounds values < 0 and > 255 so there is the potential to overrun the
array, this patch corrects that.
---
 src/dosext/misc/emm.c |   14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/dosext/misc/emm.c b/src/dosext/misc/emm.c
index 6a54973..7cf96ea 100644
--- a/src/dosext/misc/emm.c
+++ b/src/dosext/misc/emm.c
@@ -211,7 +211,7 @@ static u_short os_allow=1;
 	{ memmove((nameptr), (name), 8); nameptr[8]=0; }
 
 #define CHECK_HANDLE(handle) \
-  if ((handle < 0) || (handle > MAX_HANDLES) || \
+  if ((handle < 0) || (handle >= MAX_HANDLES) || \
       (handle_info[handle].active == 0)) { \
     E_printf("Invalid Handle handle=%x, active=%d\n", \
              handle, handle_info[handle].active);  \
@@ -585,7 +585,7 @@ do_map_unmap(int handle, int physical_page, int logical_page)
     unmap_page(physical_page);
   }
   else {
-    if ((handle < 0) || (handle > MAX_HANDLES) ||
+    if ((handle < 0) || (handle >= MAX_HANDLES) ||
         (handle_info[handle].active == 0)) {
       E_printf("Invalid Handle handle=%x, active=%d\n",
 	     handle, handle_info[handle].active);
@@ -794,7 +794,7 @@ reallocate_pages(state_t * state)
   int newcount = WORD(state->ebx);
   void *obj;
 
-  if ((handle < 0) || (handle > MAX_HANDLES)) {
+  if ((handle < 0) || (handle >= MAX_HANDLES)) {
     SETHIGH(&(state->eax), EMM_INV_HAN);
     return;
   }
@@ -1835,7 +1835,7 @@ ems_fn(state)
       if (handle == OS_HANDLE)
 	E_printf("EMS: trying to use OS handle in DEALLOCATE_HANDLE\n");
 
-      if ((handle < 0) || (handle > MAX_HANDLES) ||
+      if ((handle < 0) || (handle >= MAX_HANDLES) ||
 	  (handle_info[handle].active == 0)) {
 	E_printf("EMS: Invalid Handle\n");
 	SETHIGH(&(state->eax), EMM_INV_HAN);
@@ -1862,7 +1862,7 @@ ems_fn(state)
       if (handle == OS_HANDLE)
 	E_printf("EMS: trying to use OS handle in SAVE_PAGE_MAP\n");
 
-      if ((handle < 0) || (handle > MAX_HANDLES) ||
+      if ((handle < 0) || (handle >= MAX_HANDLES) ||
 	  (handle_info[handle].active == 0)) {
 	SETHIGH(&(state->eax), EMM_INV_HAN);
 	return (UNCHANGED);
@@ -1881,7 +1881,7 @@ ems_fn(state)
       if (handle == OS_HANDLE)
 	E_printf("EMS: trying to use OS handle in RESTORE_PAGE_MAP\n");
 
-      if ((handle < 0) || (handle > MAX_HANDLES) ||
+      if ((handle < 0) || (handle >= MAX_HANDLES) ||
 	  (handle_info[handle].active == 0)) {
 	SETHIGH(&(state->eax), EMM_INV_HAN);
 	return (UNCHANGED);
@@ -1912,7 +1912,7 @@ ems_fn(state)
       Kdebug1((dbg_fd, "bios_emm: Get Pages Owned, han-0x%x\n",
 	       handle));
 
-      if ((handle < 0) || (handle > MAX_HANDLES) ||
+      if ((handle < 0) || (handle >= MAX_HANDLES) ||
 	  (handle_info[handle].active == 0)) {
 	SETHIGH(&(state->eax), EMM_INV_HAN);
 	SETWORD(&(state->ebx), 0);
-- 
1.7.9.5

>From a545afa3cb1203b70ca1f03979b461f4957d4003 Mon Sep 17 00:00:00 2001
From: Andrew Bird <ajb@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 28 Mar 2014 17:53:47 +0000
Subject: [PATCH 6/8] LFN: Drive check off by one

---
 src/dosext/mfs/lfn.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/dosext/mfs/lfn.c b/src/dosext/mfs/lfn.c
index 4cb2974..d321a53 100644
--- a/src/dosext/mfs/lfn.c
+++ b/src/dosext/mfs/lfn.c
@@ -573,7 +573,7 @@ static int build_truename(char *dest, const char *src, int mode)
 		return MAX_DRIVE - 1;
 	}
 
-	if (dd > MAX_DRIVE || !drives[dd].root)
+	if (dd >= MAX_DRIVE || !drives[dd].root)
 		return -2;
 
 	if (!((cds_flags(drive_cds(dd))) & CDS_FLAG_REMOTE) ||
-- 
1.7.9.5

>From ebb218a0a91f39e3e7840ea731ba4771a86a4656 Mon Sep 17 00:00:00 2001
From: Andrew Bird <ajb@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 28 Mar 2014 18:06:39 +0000
Subject: [PATCH 7/8] PCI: Check fd is valid before trying to close it

---
 src/base/dev/misc/pci.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/base/dev/misc/pci.c b/src/base/dev/misc/pci.c
index 50deb99..1573ee3 100644
--- a/src/base/dev/misc/pci.c
+++ b/src/base/dev/misc/pci.c
@@ -351,8 +351,10 @@ static int pci_check_device_present_proc(unsigned char bus, unsigned char device
 					 unsigned char fn)
 {
   int fd = pci_open_proc(bus, device, fn);
+  if (fd == -1)
+    return 0;
   close(fd);
-  return (fd != -1);
+  return 1;
 }
 
 static struct pci_funcs pci_cfg1 = {
-- 
1.7.9.5

>From c9907f94a6788d047a445b492aa0f9fb0fe64f3f Mon Sep 17 00:00:00 2001
From: Andrew Bird <ajb@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 28 Mar 2014 18:38:35 +0000
Subject: [PATCH 8/8] Add missing initialisation to hlt_hdlr structs

---
 src/base/async/int.c     |    3 +++
 src/base/dev/pic/pic.c   |    1 +
 src/base/serial/fossil.c |    1 +
 src/dosext/misc/emm.c    |    1 +
 src/dosext/net/pktnew.c  |    1 +
 src/emu-i386/do_vm86.c   |    1 +
 6 files changed, 8 insertions(+)

diff --git a/src/base/async/int.c b/src/base/async/int.c
index f020f93..58ab81e 100644
--- a/src/base/async/int.c
+++ b/src/base/async/int.c
@@ -2330,11 +2330,13 @@ void setup_interrupts(void) {
   hlt_hdlr.name       = "interrupts";
   hlt_hdlr.len        = 256;
   hlt_hdlr.func       = do_int_from_hlt;
+  hlt_hdlr.arg        = NULL;
   hlt_off = hlt_register_handler(hlt_hdlr);
 
   hlt_hdlr.name       = "int return";
   hlt_hdlr.len        = 1;
   hlt_hdlr.func       = ret_from_int;
+  hlt_hdlr.arg        = NULL;
   iret_hlt_off = hlt_register_handler(hlt_hdlr);
 
   int_tid = coopth_create_multi("ints thread non-revect", 256);
@@ -2344,6 +2346,7 @@ void setup_interrupts(void) {
   hlt_hdlr.name       = "mouse post";
   hlt_hdlr.len        = 1;
   hlt_hdlr.func       = int33_post;
+  hlt_hdlr.arg        = NULL;
   Mouse_HLT_OFF = hlt_register_handler(hlt_hdlr);
 }
 
diff --git a/src/base/dev/pic/pic.c b/src/base/dev/pic/pic.c
index 470edda..ec56d3e 100644
--- a/src/base/dev/pic/pic.c
+++ b/src/base/dev/pic/pic.c
@@ -1146,6 +1146,7 @@ void pic_init(void)
   hlt_hdlr.name       = "PIC";
   hlt_hdlr.len        = 1;
   hlt_hdlr.func       = pic_iret_hlt;
+  hlt_hdlr.arg        = NULL;
   PIC_OFF = hlt_register_handler(hlt_hdlr);
 }
 
diff --git a/src/base/serial/fossil.c b/src/base/serial/fossil.c
index 46aae3e..d92a5af 100644
--- a/src/base/serial/fossil.c
+++ b/src/base/serial/fossil.c
@@ -97,6 +97,7 @@ static void fossil_init(void)
   hlt_hdlr.name       = "fossil isr";
   hlt_hdlr.len        = 1;
   hlt_hdlr.func       = fossil_irq;
+  hlt_hdlr.arg        = NULL;
   irq_hlt = hlt_register_handler(hlt_hdlr);
 
   fossil_tsr_installed = TRUE;
diff --git a/src/dosext/misc/emm.c b/src/dosext/misc/emm.c
index ffb95ea..5a4a5df 100644
--- a/src/dosext/misc/emm.c
+++ b/src/dosext/misc/emm.c
@@ -2192,5 +2192,6 @@ void ems_init(void)
   hlt_hdlr.name = "EMS";
   hlt_hdlr.len = 1;
   hlt_hdlr.func = emm_hlt_handler;
+  hlt_hdlr.arg        = NULL;
   EMSControl_OFF = hlt_register_handler(hlt_hdlr);
 }
diff --git a/src/dosext/net/pktnew.c b/src/dosext/net/pktnew.c
index 34b33a2..0ffbd44 100644
--- a/src/dosext/net/pktnew.c
+++ b/src/dosext/net/pktnew.c
@@ -186,6 +186,7 @@ pkt_init(void)
     hlt_hdlr.name       = "pkt callout";
     hlt_hdlr.len        = 1;
     hlt_hdlr.func       = pkt_hlt;
+    hlt_hdlr.arg        = NULL;
     pkt_hlt_off = hlt_register_handler(hlt_hdlr);
 
     /* call Open_sockets() only for non-priv configs */
diff --git a/src/emu-i386/do_vm86.c b/src/emu-i386/do_vm86.c
index 2b0c108..8b601c4 100644
--- a/src/emu-i386/do_vm86.c
+++ b/src/emu-i386/do_vm86.c
@@ -502,6 +502,7 @@ int vm86_init(void)
     hlt_hdlr.name = "do_call_back";
     hlt_hdlr.len = 1;
     hlt_hdlr.func = callback_return;
+    hlt_hdlr.arg = NULL;
     CBACK_OFF = hlt_register_handler(hlt_hdlr);
     return 0;
 }
-- 
1.7.9.5

>From 68e18e2201f23f5dd57c94fcdab22cdf6880e5b0 Mon Sep 17 00:00:00 2001
From: Andrew Bird <ajb@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 28 Mar 2014 16:31:10 +0000
Subject: [PATCH 3/8] EMM: Refactor CHECK_HANDLE macro into inlineable
 function

    Following on from the EMM array handle validity changes, the
CHECK_HANDLE macro has been refactored into a more generic function that
is potentially inlineable by the compiler and aims to enhance readability.
---
 src/dosext/misc/emm.c |   97 ++++++++++++++++++++-----------------------------
 1 file changed, 40 insertions(+), 57 deletions(-)

diff --git a/src/dosext/misc/emm.c b/src/dosext/misc/emm.c
index cadf3dc..ffb95ea 100644
--- a/src/dosext/misc/emm.c
+++ b/src/dosext/misc/emm.c
@@ -210,19 +210,6 @@ static u_short os_allow=1;
 #define SET_HANDLE_NAME(nameptr, name) \
 	{ memmove((nameptr), (name), 8); nameptr[8]=0; }
 
-#define CHECK_HANDLE(handle) \
-  if ((handle < 0) || (handle >= MAX_HANDLES)) { \
-    E_printf("Invalid Handle handle=%x\n", handle);  \
-    SETHIGH(&(state->eax), EMM_INV_HAN); \
-    return; \
-  } \
-  if (handle_info[handle].active == 0) { \
-    E_printf("Invalid Handle handle=%x, active=%d\n", \
-             handle, handle_info[handle].active);  \
-    SETHIGH(&(state->eax), EMM_INV_HAN); \
-    return; \
-  }
-
 /* this will have to change...0 counts are allowed */
 #define HANDLE_ALLOCATED(handle) \
   (handle_info[handle].active)
@@ -371,16 +358,31 @@ emm_allocate_handle(int pages_needed)
   return (EMM_ERROR);
 }
 
+static boolean_t emm_valid_handle(int handle)
+{
+  if ((handle < 0) || (handle >= MAX_HANDLES)) {
+    E_printf("EMS: Invalid Handle handle=%x\n", handle);
+    return FALSE;
+  }
+
+  if (handle_info[handle].active == 0) {
+    E_printf("EMS: Invalid Handle handle=%x, active=%d\n",
+             handle, handle_info[handle].active);
+    return FALSE;
+  }
+
+  return TRUE;
+}
+
 static boolean_t
 emm_deallocate_handle(int handle)
 {
   int numpages, i;
   void *object;
 
-  if ((handle < 0) || (handle >= MAX_HANDLES))
-    return (FALSE);
-  if (handle_info[handle].active != 1)
+  if (!emm_valid_handle(handle))
     return (FALSE);
+
   for (i = 0; i < phys_pages; i++) {
     if (emm_map[i].handle == handle) {
       unmap_page(i);
@@ -589,15 +591,9 @@ do_map_unmap(int handle, int physical_page, int logical_page)
     unmap_page(physical_page);
   }
   else {
-    if ((handle < 0) || (handle >= MAX_HANDLES)) {
-      E_printf("Invalid Handle handle=%x\n", handle);
-      return EMM_INV_HAN;
-    }
-    if (handle_info[handle].active == 0) {
-      E_printf("Invalid Handle handle=%x, active=%d\n",
-	     handle, handle_info[handle].active);
+    if (!emm_valid_handle(handle))
       return EMM_INV_HAN;
-    }
+
     CHECK_OS_HANDLE(handle);
     if (logical_page >= handle_info[handle].numpages) {
       E_printf("Logical page too high logical_page=%d, numpages=%d\n",
@@ -768,7 +764,11 @@ map_unmap_multiple(state_t * state)
   int ret;
 
   Kdebug0((dbg_fd, "map_unmap_multiple %d called\n", method));
-  CHECK_HANDLE(handle);
+
+  if (!emm_valid_handle(handle)) {
+    SETHIGH(&(state->eax), EMM_INV_HAN);
+    return;
+  }
 
   switch (method) {
   case MULT_LOGPHYS:
@@ -801,12 +801,7 @@ reallocate_pages(state_t * state)
   int newcount = WORD(state->ebx);
   void *obj;
 
-  if ((handle < 0) || (handle >= MAX_HANDLES)) {
-    SETHIGH(&(state->eax), EMM_INV_HAN);
-    return;
-  }
-
-  if (!handle_info[handle].active) {	/* no-handle */
+  if (!emm_valid_handle(handle)) {
     Kdebug0((dbg_fd, "reallocate_pages handle %d invalid\n", handle));
     SETHIGH(&(state->eax), EMM_INV_HAN);
     return;
@@ -950,7 +945,11 @@ handle_name(state_t * state)
       int handle = WORD(state->edx);
       u_char *array = (u_char *) Addr(state, es, edi);
 
-      CHECK_HANDLE(handle);
+      if (!emm_valid_handle(handle)) {
+        SETHIGH(&(state->eax), EMM_INV_HAN);
+        return;
+      }
+
       handle_info[handle].name[8] = 0;
       Kdebug0((dbg_fd, "get handle name %d = %s\n", handle,
 	       handle_info[handle].name));
@@ -968,7 +967,11 @@ handle_name(state_t * state)
 
       E_printf("SET_NAME of %8.8s\n", (u_char *)array);
 
-      CHECK_HANDLE(handle);
+      if (!emm_valid_handle(handle)) {
+        SETHIGH(&(state->eax), EMM_INV_HAN);
+        return;
+      }
+
       memmove(handle_info[handle].name, array, 8);
       handle_info[handle].name[8] = 0;
 
@@ -1842,13 +1845,7 @@ ems_fn(state)
       if (handle == OS_HANDLE)
 	E_printf("EMS: trying to use OS handle in DEALLOCATE_HANDLE\n");
 
-      if ((handle < 0) || (handle >= MAX_HANDLES)) {
-	E_printf("EMS: Invalid Handle\n");
-	SETHIGH(&(state->eax), EMM_INV_HAN);
-	return (UNCHANGED);
-      }
-      if (handle_info[handle].active == 0) {
-	E_printf("EMS: Invalid Handle\n");
+      if (!emm_valid_handle(handle)) {
 	SETHIGH(&(state->eax), EMM_INV_HAN);
 	return (UNCHANGED);
       }
@@ -1873,11 +1870,7 @@ ems_fn(state)
       if (handle == OS_HANDLE)
 	E_printf("EMS: trying to use OS handle in SAVE_PAGE_MAP\n");
 
-      if ((handle < 0) || (handle >= MAX_HANDLES)) {
-	SETHIGH(&(state->eax), EMM_INV_HAN);
-	return (UNCHANGED);
-      }
-      if (handle_info[handle].active == 0) {
+      if (!emm_valid_handle(handle)) {
 	SETHIGH(&(state->eax), EMM_INV_HAN);
 	return (UNCHANGED);
       }
@@ -1895,11 +1888,7 @@ ems_fn(state)
       if (handle == OS_HANDLE)
 	E_printf("EMS: trying to use OS handle in RESTORE_PAGE_MAP\n");
 
-      if ((handle < 0) || (handle >= MAX_HANDLES)) {
-	SETHIGH(&(state->eax), EMM_INV_HAN);
-	return (UNCHANGED);
-      }
-      if (handle_info[handle].active == 0) {
+      if (!emm_valid_handle(handle)) {
 	SETHIGH(&(state->eax), EMM_INV_HAN);
 	return (UNCHANGED);
       }
@@ -1929,13 +1918,7 @@ ems_fn(state)
       Kdebug1((dbg_fd, "bios_emm: Get Pages Owned, han-0x%x\n",
 	       handle));
 
-      if ((handle < 0) || (handle >= MAX_HANDLES)) {
-	SETHIGH(&(state->eax), EMM_INV_HAN);
-	SETWORD(&(state->ebx), 0);
-	return (UNCHANGED);
-      }
-
-      if (handle_info[handle].active == 0) {
+      if (!emm_valid_handle(handle)) {
 	SETHIGH(&(state->eax), EMM_INV_HAN);
 	SETWORD(&(state->ebx), 0);
 	return (UNCHANGED);
-- 
1.7.9.5

>From c10dd27818d9bf61b8633f1d44153599a98f8b94 Mon Sep 17 00:00:00 2001
From: Andrew Bird <ajb@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 28 Mar 2014 15:56:11 +0000
Subject: [PATCH 2/8] EMM: Fix potential array overrun.

The maximum number of EMM handles is defined as 255 and consequently
the handle_info array is sized to have valid values of 0..254. The code
checks for out of bounds values < 0 and > 254 *OR*
handle_info[handle].active == 0, so there is the potential to overrun the
handle_info array if the handle is invalid, this patch corrects that.
---
 src/dosext/misc/emm.c |   46 ++++++++++++++++++++++++++++++++++------------
 1 file changed, 34 insertions(+), 12 deletions(-)

diff --git a/src/dosext/misc/emm.c b/src/dosext/misc/emm.c
index 7cf96ea..cadf3dc 100644
--- a/src/dosext/misc/emm.c
+++ b/src/dosext/misc/emm.c
@@ -211,8 +211,12 @@ static u_short os_allow=1;
 	{ memmove((nameptr), (name), 8); nameptr[8]=0; }
 
 #define CHECK_HANDLE(handle) \
-  if ((handle < 0) || (handle >= MAX_HANDLES) || \
-      (handle_info[handle].active == 0)) { \
+  if ((handle < 0) || (handle >= MAX_HANDLES)) { \
+    E_printf("Invalid Handle handle=%x\n", handle);  \
+    SETHIGH(&(state->eax), EMM_INV_HAN); \
+    return; \
+  } \
+  if (handle_info[handle].active == 0) { \
     E_printf("Invalid Handle handle=%x, active=%d\n", \
              handle, handle_info[handle].active);  \
     SETHIGH(&(state->eax), EMM_INV_HAN); \
@@ -585,8 +589,11 @@ do_map_unmap(int handle, int physical_page, int logical_page)
     unmap_page(physical_page);
   }
   else {
-    if ((handle < 0) || (handle >= MAX_HANDLES) ||
-        (handle_info[handle].active == 0)) {
+    if ((handle < 0) || (handle >= MAX_HANDLES)) {
+      E_printf("Invalid Handle handle=%x\n", handle);
+      return EMM_INV_HAN;
+    }
+    if (handle_info[handle].active == 0) {
       E_printf("Invalid Handle handle=%x, active=%d\n",
 	     handle, handle_info[handle].active);
       return EMM_INV_HAN;
@@ -1835,8 +1842,12 @@ ems_fn(state)
       if (handle == OS_HANDLE)
 	E_printf("EMS: trying to use OS handle in DEALLOCATE_HANDLE\n");
 
-      if ((handle < 0) || (handle >= MAX_HANDLES) ||
-	  (handle_info[handle].active == 0)) {
+      if ((handle < 0) || (handle >= MAX_HANDLES)) {
+	E_printf("EMS: Invalid Handle\n");
+	SETHIGH(&(state->eax), EMM_INV_HAN);
+	return (UNCHANGED);
+      }
+      if (handle_info[handle].active == 0) {
 	E_printf("EMS: Invalid Handle\n");
 	SETHIGH(&(state->eax), EMM_INV_HAN);
 	return (UNCHANGED);
@@ -1862,8 +1873,11 @@ ems_fn(state)
       if (handle == OS_HANDLE)
 	E_printf("EMS: trying to use OS handle in SAVE_PAGE_MAP\n");
 
-      if ((handle < 0) || (handle >= MAX_HANDLES) ||
-	  (handle_info[handle].active == 0)) {
+      if ((handle < 0) || (handle >= MAX_HANDLES)) {
+	SETHIGH(&(state->eax), EMM_INV_HAN);
+	return (UNCHANGED);
+      }
+      if (handle_info[handle].active == 0) {
 	SETHIGH(&(state->eax), EMM_INV_HAN);
 	return (UNCHANGED);
       }
@@ -1881,8 +1895,11 @@ ems_fn(state)
       if (handle == OS_HANDLE)
 	E_printf("EMS: trying to use OS handle in RESTORE_PAGE_MAP\n");
 
-      if ((handle < 0) || (handle >= MAX_HANDLES) ||
-	  (handle_info[handle].active == 0)) {
+      if ((handle < 0) || (handle >= MAX_HANDLES)) {
+	SETHIGH(&(state->eax), EMM_INV_HAN);
+	return (UNCHANGED);
+      }
+      if (handle_info[handle].active == 0) {
 	SETHIGH(&(state->eax), EMM_INV_HAN);
 	return (UNCHANGED);
       }
@@ -1912,8 +1929,13 @@ ems_fn(state)
       Kdebug1((dbg_fd, "bios_emm: Get Pages Owned, han-0x%x\n",
 	       handle));
 
-      if ((handle < 0) || (handle >= MAX_HANDLES) ||
-	  (handle_info[handle].active == 0)) {
+      if ((handle < 0) || (handle >= MAX_HANDLES)) {
+	SETHIGH(&(state->eax), EMM_INV_HAN);
+	SETWORD(&(state->ebx), 0);
+	return (UNCHANGED);
+      }
+
+      if (handle_info[handle].active == 0) {
 	SETHIGH(&(state->eax), EMM_INV_HAN);
 	SETWORD(&(state->ebx), 0);
 	return (UNCHANGED);
-- 
1.7.9.5

>From f098f471ee410aa1c09099b61cbd8aee4c7ca3fd Mon Sep 17 00:00:00 2001
From: Andrew Bird <ajb@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 28 Mar 2014 17:19:56 +0000
Subject: [PATCH 4/8] XMS: Avoid negative indexing into an array if function
 returns error

The umb_find_unused() function may return UMB_NULL (-1) if it failed to find
a free umb. This patch tests the result before indexing into the 'umbs'
array with it
---
 src/dosext/misc/xms.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/dosext/misc/xms.c b/src/dosext/misc/xms.c
index 4af8046..0c3a8b6 100644
--- a/src/dosext/misc/xms.c
+++ b/src/dosext/misc/xms.c
@@ -126,9 +126,14 @@ umb_setup(void)
   addr_start = 0x00000;     /* start address */
   while ((size = memcheck_findhole(&addr_start, 1024, 0x100000)) != 0) {
     Debug0((dbg_fd, "findhole - from 0x%5.5zX, %dKb\n", addr_start, size/1024));
-    memcheck_reserve('U', addr_start, size);
 
     umb = umb_find_unused();
+    if (umb == UMB_NULL) {
+      Debug0((dbg_fd, "umb_setup: no unused umb found\n"));
+      continue;
+    }
+
+    memcheck_reserve('U', addr_start, size);
     umbs[umb].in_use = TRUE;
     umbs[umb].free = TRUE;
     umbs[umb].addr = addr_start;
-- 
1.7.9.5

>From 837676b8f880b250dd1fb51f46981e8e9eabb9d7 Mon Sep 17 00:00:00 2001
From: Andrew Bird <ajb@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 28 Mar 2014 17:26:50 +0000
Subject: [PATCH 5/8] Fix use after free in error path

---
 src/arch/linux/debugger/dosdebug.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/arch/linux/debugger/dosdebug.c b/src/arch/linux/debugger/dosdebug.c
index af0d88f..d4ffda4 100644
--- a/src/arch/linux/debugger/dosdebug.c
+++ b/src/arch/linux/debugger/dosdebug.c
@@ -68,9 +68,12 @@ static int find_dosemu_pid(char *tmpfile, int local)
 
   dir = opendir(dn);
   if (!dir) {
-    free(dn);
-    if (local) return -1;
+    if (local) {
+      free(dn);
+      return -1;
+    }
     fprintf(stderr, "can't open directory %s\n",dn);
+    free(dn);
     exit(1);
   }
   i = 0;
-- 
1.7.9.5


[Index of Archives]     [Linux Console]     [Linux Audio]     [Linux for Hams]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite Camping]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Samba]     [Linux Media]     [Fedora Users]

  Powered by Linux