From owner-svn-src-all@freebsd.org Sun Mar 24 18:57:05 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A5A4C15649E6; Sun, 24 Mar 2019 18:57:05 +0000 (UTC) (envelope-from bde@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D1D391D91; Sun, 24 Mar 2019 18:57:05 +0000 (UTC) (envelope-from bde@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 11C51245C3; Sun, 24 Mar 2019 18:57:05 +0000 (UTC) (envelope-from bde@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x2OIv4LG015792; Sun, 24 Mar 2019 18:57:04 GMT (envelope-from bde@FreeBSD.org) Received: (from bde@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x2OIv4WU015788; Sun, 24 Mar 2019 18:57:04 GMT (envelope-from bde@FreeBSD.org) Message-Id: <201903241857.x2OIv4WU015788@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bde set sender to bde@FreeBSD.org using -f From: Bruce Evans Date: Sun, 24 Mar 2019 18:57:04 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r345478 - head/lib/libvgl X-SVN-Group: head X-SVN-Commit-Author: bde X-SVN-Commit-Paths: head/lib/libvgl X-SVN-Commit-Revision: 345478 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4D1D391D91 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.99 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.99)[-0.988,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Mar 2019 18:57:05 -0000 Author: bde Date: Sun Mar 24 18:57:03 2019 New Revision: 345478 URL: https://svnweb.freebsd.org/changeset/base/345478 Log: Fix buffer overruns in modes with color depth more than 8. Support for 16-bit and 32-bit Truecolor modes was supposed to be complete in r70991 of main.c and in nearby revisions for other files, but it was broken by the overruns in most cases (all cases were the mouse is enabled, and most cases where bitmaps are used). r70991 also uninintentionally added support for depths 9-15, 17-23 and 25-31. Depth 24 was more obviously broken and its support is ifdefed out. In the other ranges, only depth 15 is common. It was broken by buffer overruns in all cases. bitmap.c: - the static buffer was used even when it was too small (but it was large enough to often work accidentally in depth 16) - the size of the dynamically allocated buffer was too small - the sizing info bitmap->PixelBytes was not inititialzed in the bitmap constructor. It often ended up as 0 for MEMBUFs, so using it in more places gave more null pointer accesses. (It is per-bitmap, but since conversion between bitmaps of different depths is not supported (except from 4 bits by padding to 8), it would work better if it were global.) main.c: - depths were rounded down instead of up to a multiple of 8, so PixelBytes was 1 too small for depths above 8 except 16, 24 and 32. - PixelBytes was not initialized for 4-bit planar modes. It isn't really used for frame buffer accesses in these modes, but needs to be 1 in MEMBUF images. mouse.c: - the mouse cursor buffers were too small. vgl.h: - PixelBytes was not initialized in the static bitmap constructor. It should be initialized to the value for the current mode, but that is impossible in a static constructor. Initialize it to -1 so as to fail if it is used without further initialization. All modes that are supposed to be supported now don't crash in nontrivial tests, and almost work. Missing uses of PixelBytes now give in-bounds wrong pointers instead of overruns. Misconversions of bitmaps give multiple miscolored mouse cursors instead of 1 white one, and similarly for bitmaps copied through a MEMBUF. Modified: head/lib/libvgl/bitmap.c head/lib/libvgl/main.c head/lib/libvgl/mouse.c head/lib/libvgl/vgl.h Modified: head/lib/libvgl/bitmap.c ============================================================================== --- head/lib/libvgl/bitmap.c Sun Mar 24 18:51:52 2019 (r345477) +++ head/lib/libvgl/bitmap.c Sun Mar 24 18:57:03 2019 (r345478) @@ -338,8 +338,8 @@ __VGLBitmapCopy(VGLBitmap *src, int srcx, int srcy, byte buffer[2048]; /* XXX */ byte *p; - if (width > sizeof(buffer)) { - p = malloc(width); + if (width * src->PixelBytes > sizeof(buffer)) { + p = malloc(width * src->PixelBytes); if (p == NULL) return 1; } else { @@ -349,7 +349,7 @@ __VGLBitmapCopy(VGLBitmap *src, int srcx, int srcy, ReadVerticalLine(src, srcx, srcline, width, p); WriteVerticalLine(dst, dstx, dstline, width, p); } - if (width > sizeof(buffer)) + if (width * src->PixelBytes > sizeof(buffer)) free(p); } return 0; @@ -387,6 +387,7 @@ VGLBitmap object->Xorigin = 0; object->Yorigin = 0; object->Bitmap = bits; + object->PixelBytes = VGLDisplay->PixelBytes; return object; } @@ -401,7 +402,7 @@ VGLBitmapDestroy(VGLBitmap *object) int VGLBitmapAllocateBits(VGLBitmap *object) { - object->Bitmap = (byte *)malloc(object->VXsize*object->VYsize); + object->Bitmap = malloc(object->VXsize*object->VYsize*object->PixelBytes); if (object->Bitmap == NULL) return -1; return 0; Modified: head/lib/libvgl/main.c ============================================================================== --- head/lib/libvgl/main.c Sun Mar 24 18:51:52 2019 (r345477) +++ head/lib/libvgl/main.c Sun Mar 24 18:57:03 2019 (r345478) @@ -132,7 +132,7 @@ int VGLInit(int mode) { struct vt_mode smode; - int adptype; + int adptype, depth; if (VGLInitDone) return -1; @@ -188,6 +188,7 @@ VGLInit(int mode) return -4; } VGLDisplay->Type = VIDBUF4; + VGLDisplay->PixelBytes = 1; break; case V_INFO_MM_PACKED: /* we can do only 256 color packed modes */ @@ -294,8 +295,11 @@ VGLInit(int mode) VGLDisplay->Xsize = VGLModeInfo.vi_width; VGLDisplay->Ysize = VGLModeInfo.vi_height; + depth = VGLModeInfo.vi_depth; + if (depth == 15) + depth = 16; VGLDisplay->VXsize = VGLAdpInfo.va_line_width - *8/(VGLModeInfo.vi_depth/VGLModeInfo.vi_planes); + *8/(depth/VGLModeInfo.vi_planes); VGLDisplay->VYsize = VGLBufSize/VGLModeInfo.vi_planes/VGLAdpInfo.va_line_width; VGLDisplay->Xorigin = 0; VGLDisplay->Yorigin = 0; @@ -530,6 +534,8 @@ VGLSetSegment(unsigned int offset) int VGLSetVScreenSize(VGLBitmap *object, int VXsize, int VYsize) { + int depth; + if (VXsize < object->Xsize || VYsize < object->Ysize) return -1; if (object->Type == MEMBUF) @@ -537,8 +543,11 @@ VGLSetVScreenSize(VGLBitmap *object, int VXsize, int V if (ioctl(0, FBIO_SETLINEWIDTH, &VXsize)) return -1; ioctl(0, CONS_ADPINFO, &VGLAdpInfo); /* FBIO_ADPINFO */ + depth = VGLModeInfo.vi_depth; + if (depth == 15) + depth = 16; object->VXsize = VGLAdpInfo.va_line_width - *8/(VGLModeInfo.vi_depth/VGLModeInfo.vi_planes); + *8/(depth/VGLModeInfo.vi_planes); object->VYsize = VGLBufSize/VGLModeInfo.vi_planes/VGLAdpInfo.va_line_width; if (VYsize < object->VYsize) object->VYsize = VYsize; Modified: head/lib/libvgl/mouse.c ============================================================================== --- head/lib/libvgl/mouse.c Sun Mar 24 18:51:52 2019 (r345477) +++ head/lib/libvgl/mouse.c Sun Mar 24 18:57:03 2019 (r345478) @@ -82,7 +82,7 @@ static VGLBitmap VGLMouseStdAndMask = static VGLBitmap VGLMouseStdOrMask = VGLBITMAP_INITIALIZER(MEMBUF, MOUSE_IMG_SIZE, MOUSE_IMG_SIZE, StdOrMask); static VGLBitmap *VGLMouseAndMask, *VGLMouseOrMask; -static byte map[MOUSE_IMG_SIZE*MOUSE_IMG_SIZE]; +static byte map[MOUSE_IMG_SIZE*MOUSE_IMG_SIZE*4]; static VGLBitmap VGLMouseSave = VGLBITMAP_INITIALIZER(MEMBUF, MOUSE_IMG_SIZE, MOUSE_IMG_SIZE, map); static int VGLMouseVisible = 0; @@ -95,7 +95,7 @@ static int VGLMouseButtons = 0; void VGLMousePointerShow() { - byte buf[MOUSE_IMG_SIZE*MOUSE_IMG_SIZE]; + byte buf[MOUSE_IMG_SIZE*MOUSE_IMG_SIZE*4]; VGLBitmap buffer = VGLBITMAP_INITIALIZER(MEMBUF, MOUSE_IMG_SIZE, MOUSE_IMG_SIZE, buf); byte crtcidx, crtcval, gdcidx, gdcval; Modified: head/lib/libvgl/vgl.h ============================================================================== --- head/lib/libvgl/vgl.h Sun Mar 24 18:51:52 2019 (r345477) +++ head/lib/libvgl/vgl.h Sun Mar 24 18:57:03 2019 (r345478) @@ -49,7 +49,7 @@ typedef struct { } VGLBitmap; #define VGLBITMAP_INITIALIZER(t, x, y, bits) \ - { (t), (x), (y), (x), (y), 0, 0, (bits) } + { (t), (x), (y), (x), (y), 0, 0, (bits), -1 } /* * Defined Type's