From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Andrew Bird (Sphere Systems)" Subject: Some patches against the devel branch Date: Fri, 28 Mar 2014 19:03:46 +0000 Message-ID: <3273607.99ArgyKrGO@polly.spheresystems.co.uk> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="nextPart3726963.i5OvszIMX8" Content-Transfer-Encoding: 7Bit Return-path: Sender: linux-msdos-owner@vger.kernel.org List-ID: To: linux-msdos@vger.kernel.org This is a multi-part message in MIME format. --nextPart3726963.i5OvszIMX8 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Hi Stas, Bart, Here are some patches I made against today's devel branch. I had no specific bug to fix, but just wanted to fix some minor bounds checks and initialisation issues. All compile successfully, but I have very few DOS programs to exercise Dosemu properly. Hope it helps, Andrew --nextPart3726963.i5OvszIMX8 Content-Disposition: attachment; filename="0001-EMM-Fix-potential-array-overrun.patch" Content-Transfer-Encoding: 7Bit Content-Type: text/x-patch; charset="UTF-8"; name="0001-EMM-Fix-potential-array-overrun.patch" >From b785e25366a53a40f97f587443ee123e5061b8cc Mon Sep 17 00:00:00 2001 From: Andrew Bird Date: Fri, 28 Mar 2014 14:08:29 +0000 Subject: [PATCH 1/8] EMM: Fix potential array overrun. The maximum number of EMM handles is defined as 255 and consequently its array size which gives valid values of 0..254. The code checks for out of bounds values < 0 and > 255 so there is the potential to overrun the array, this patch corrects that. --- src/dosext/misc/emm.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/dosext/misc/emm.c b/src/dosext/misc/emm.c index 6a54973..7cf96ea 100644 --- a/src/dosext/misc/emm.c +++ b/src/dosext/misc/emm.c @@ -211,7 +211,7 @@ static u_short os_allow=1; { memmove((nameptr), (name), 8); nameptr[8]=0; } #define CHECK_HANDLE(handle) \ - if ((handle < 0) || (handle > MAX_HANDLES) || \ + if ((handle < 0) || (handle >= MAX_HANDLES) || \ (handle_info[handle].active == 0)) { \ E_printf("Invalid Handle handle=%x, active=%d\n", \ handle, handle_info[handle].active); \ @@ -585,7 +585,7 @@ do_map_unmap(int handle, int physical_page, int logical_page) unmap_page(physical_page); } else { - if ((handle < 0) || (handle > MAX_HANDLES) || + if ((handle < 0) || (handle >= MAX_HANDLES) || (handle_info[handle].active == 0)) { E_printf("Invalid Handle handle=%x, active=%d\n", handle, handle_info[handle].active); @@ -794,7 +794,7 @@ reallocate_pages(state_t * state) int newcount = WORD(state->ebx); void *obj; - if ((handle < 0) || (handle > MAX_HANDLES)) { + if ((handle < 0) || (handle >= MAX_HANDLES)) { SETHIGH(&(state->eax), EMM_INV_HAN); return; } @@ -1835,7 +1835,7 @@ ems_fn(state) if (handle == OS_HANDLE) E_printf("EMS: trying to use OS handle in DEALLOCATE_HANDLE\n"); - if ((handle < 0) || (handle > MAX_HANDLES) || + if ((handle < 0) || (handle >= MAX_HANDLES) || (handle_info[handle].active == 0)) { E_printf("EMS: Invalid Handle\n"); SETHIGH(&(state->eax), EMM_INV_HAN); @@ -1862,7 +1862,7 @@ ems_fn(state) if (handle == OS_HANDLE) E_printf("EMS: trying to use OS handle in SAVE_PAGE_MAP\n"); - if ((handle < 0) || (handle > MAX_HANDLES) || + if ((handle < 0) || (handle >= MAX_HANDLES) || (handle_info[handle].active == 0)) { SETHIGH(&(state->eax), EMM_INV_HAN); return (UNCHANGED); @@ -1881,7 +1881,7 @@ ems_fn(state) if (handle == OS_HANDLE) E_printf("EMS: trying to use OS handle in RESTORE_PAGE_MAP\n"); - if ((handle < 0) || (handle > MAX_HANDLES) || + if ((handle < 0) || (handle >= MAX_HANDLES) || (handle_info[handle].active == 0)) { SETHIGH(&(state->eax), EMM_INV_HAN); return (UNCHANGED); @@ -1912,7 +1912,7 @@ ems_fn(state) Kdebug1((dbg_fd, "bios_emm: Get Pages Owned, han-0x%x\n", handle)); - if ((handle < 0) || (handle > MAX_HANDLES) || + if ((handle < 0) || (handle >= MAX_HANDLES) || (handle_info[handle].active == 0)) { SETHIGH(&(state->eax), EMM_INV_HAN); SETWORD(&(state->ebx), 0); -- 1.7.9.5 --nextPart3726963.i5OvszIMX8 Content-Disposition: attachment; filename="0006-LFN-Drive-check-off-by-one.patch" Content-Transfer-Encoding: 7Bit Content-Type: text/x-patch; charset="UTF-8"; name="0006-LFN-Drive-check-off-by-one.patch" >From a545afa3cb1203b70ca1f03979b461f4957d4003 Mon Sep 17 00:00:00 2001 From: Andrew Bird Date: Fri, 28 Mar 2014 17:53:47 +0000 Subject: [PATCH 6/8] LFN: Drive check off by one --- src/dosext/mfs/lfn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/dosext/mfs/lfn.c b/src/dosext/mfs/lfn.c index 4cb2974..d321a53 100644 --- a/src/dosext/mfs/lfn.c +++ b/src/dosext/mfs/lfn.c @@ -573,7 +573,7 @@ static int build_truename(char *dest, const char *src, int mode) return MAX_DRIVE - 1; } - if (dd > MAX_DRIVE || !drives[dd].root) + if (dd >= MAX_DRIVE || !drives[dd].root) return -2; if (!((cds_flags(drive_cds(dd))) & CDS_FLAG_REMOTE) || -- 1.7.9.5 --nextPart3726963.i5OvszIMX8 Content-Disposition: attachment; filename="0007-PCI-Check-fd-is-valid-before-trying-to-close-it.patch" Content-Transfer-Encoding: 7Bit Content-Type: text/x-patch; charset="UTF-8"; name="0007-PCI-Check-fd-is-valid-before-trying-to-close-it.patch" >From ebb218a0a91f39e3e7840ea731ba4771a86a4656 Mon Sep 17 00:00:00 2001 From: Andrew Bird Date: Fri, 28 Mar 2014 18:06:39 +0000 Subject: [PATCH 7/8] PCI: Check fd is valid before trying to close it --- src/base/dev/misc/pci.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/base/dev/misc/pci.c b/src/base/dev/misc/pci.c index 50deb99..1573ee3 100644 --- a/src/base/dev/misc/pci.c +++ b/src/base/dev/misc/pci.c @@ -351,8 +351,10 @@ static int pci_check_device_present_proc(unsigned char bus, unsigned char device unsigned char fn) { int fd = pci_open_proc(bus, device, fn); + if (fd == -1) + return 0; close(fd); - return (fd != -1); + return 1; } static struct pci_funcs pci_cfg1 = { -- 1.7.9.5 --nextPart3726963.i5OvszIMX8 Content-Disposition: attachment; filename="0008-Add-missing-initialisation-to-hlt_hdlr-structs.patch" Content-Transfer-Encoding: 7Bit Content-Type: text/x-patch; charset="UTF-8"; name="0008-Add-missing-initialisation-to-hlt_hdlr-structs.patch" >From c9907f94a6788d047a445b492aa0f9fb0fe64f3f Mon Sep 17 00:00:00 2001 From: Andrew Bird Date: Fri, 28 Mar 2014 18:38:35 +0000 Subject: [PATCH 8/8] Add missing initialisation to hlt_hdlr structs --- src/base/async/int.c | 3 +++ src/base/dev/pic/pic.c | 1 + src/base/serial/fossil.c | 1 + src/dosext/misc/emm.c | 1 + src/dosext/net/pktnew.c | 1 + src/emu-i386/do_vm86.c | 1 + 6 files changed, 8 insertions(+) diff --git a/src/base/async/int.c b/src/base/async/int.c index f020f93..58ab81e 100644 --- a/src/base/async/int.c +++ b/src/base/async/int.c @@ -2330,11 +2330,13 @@ void setup_interrupts(void) { hlt_hdlr.name = "interrupts"; hlt_hdlr.len = 256; hlt_hdlr.func = do_int_from_hlt; + hlt_hdlr.arg = NULL; hlt_off = hlt_register_handler(hlt_hdlr); hlt_hdlr.name = "int return"; hlt_hdlr.len = 1; hlt_hdlr.func = ret_from_int; + hlt_hdlr.arg = NULL; iret_hlt_off = hlt_register_handler(hlt_hdlr); int_tid = coopth_create_multi("ints thread non-revect", 256); @@ -2344,6 +2346,7 @@ void setup_interrupts(void) { hlt_hdlr.name = "mouse post"; hlt_hdlr.len = 1; hlt_hdlr.func = int33_post; + hlt_hdlr.arg = NULL; Mouse_HLT_OFF = hlt_register_handler(hlt_hdlr); } diff --git a/src/base/dev/pic/pic.c b/src/base/dev/pic/pic.c index 470edda..ec56d3e 100644 --- a/src/base/dev/pic/pic.c +++ b/src/base/dev/pic/pic.c @@ -1146,6 +1146,7 @@ void pic_init(void) hlt_hdlr.name = "PIC"; hlt_hdlr.len = 1; hlt_hdlr.func = pic_iret_hlt; + hlt_hdlr.arg = NULL; PIC_OFF = hlt_register_handler(hlt_hdlr); } diff --git a/src/base/serial/fossil.c b/src/base/serial/fossil.c index 46aae3e..d92a5af 100644 --- a/src/base/serial/fossil.c +++ b/src/base/serial/fossil.c @@ -97,6 +97,7 @@ static void fossil_init(void) hlt_hdlr.name = "fossil isr"; hlt_hdlr.len = 1; hlt_hdlr.func = fossil_irq; + hlt_hdlr.arg = NULL; irq_hlt = hlt_register_handler(hlt_hdlr); fossil_tsr_installed = TRUE; diff --git a/src/dosext/misc/emm.c b/src/dosext/misc/emm.c index ffb95ea..5a4a5df 100644 --- a/src/dosext/misc/emm.c +++ b/src/dosext/misc/emm.c @@ -2192,5 +2192,6 @@ void ems_init(void) hlt_hdlr.name = "EMS"; hlt_hdlr.len = 1; hlt_hdlr.func = emm_hlt_handler; + hlt_hdlr.arg = NULL; EMSControl_OFF = hlt_register_handler(hlt_hdlr); } diff --git a/src/dosext/net/pktnew.c b/src/dosext/net/pktnew.c index 34b33a2..0ffbd44 100644 --- a/src/dosext/net/pktnew.c +++ b/src/dosext/net/pktnew.c @@ -186,6 +186,7 @@ pkt_init(void) hlt_hdlr.name = "pkt callout"; hlt_hdlr.len = 1; hlt_hdlr.func = pkt_hlt; + hlt_hdlr.arg = NULL; pkt_hlt_off = hlt_register_handler(hlt_hdlr); /* call Open_sockets() only for non-priv configs */ diff --git a/src/emu-i386/do_vm86.c b/src/emu-i386/do_vm86.c index 2b0c108..8b601c4 100644 --- a/src/emu-i386/do_vm86.c +++ b/src/emu-i386/do_vm86.c @@ -502,6 +502,7 @@ int vm86_init(void) hlt_hdlr.name = "do_call_back"; hlt_hdlr.len = 1; hlt_hdlr.func = callback_return; + hlt_hdlr.arg = NULL; CBACK_OFF = hlt_register_handler(hlt_hdlr); return 0; } -- 1.7.9.5 --nextPart3726963.i5OvszIMX8 Content-Disposition: attachment; filename="0003-EMM-Refactor-CHECK_HANDLE-macro-into-inlineable-func.patch" Content-Transfer-Encoding: 7Bit Content-Type: text/x-patch; charset="UTF-8"; name="0003-EMM-Refactor-CHECK_HANDLE-macro-into-inlineable-func.patch" >From 68e18e2201f23f5dd57c94fcdab22cdf6880e5b0 Mon Sep 17 00:00:00 2001 From: Andrew Bird Date: Fri, 28 Mar 2014 16:31:10 +0000 Subject: [PATCH 3/8] EMM: Refactor CHECK_HANDLE macro into inlineable function Following on from the EMM array handle validity changes, the CHECK_HANDLE macro has been refactored into a more generic function that is potentially inlineable by the compiler and aims to enhance readability. --- src/dosext/misc/emm.c | 97 ++++++++++++++++++++----------------------------- 1 file changed, 40 insertions(+), 57 deletions(-) diff --git a/src/dosext/misc/emm.c b/src/dosext/misc/emm.c index cadf3dc..ffb95ea 100644 --- a/src/dosext/misc/emm.c +++ b/src/dosext/misc/emm.c @@ -210,19 +210,6 @@ static u_short os_allow=1; #define SET_HANDLE_NAME(nameptr, name) \ { memmove((nameptr), (name), 8); nameptr[8]=0; } -#define CHECK_HANDLE(handle) \ - if ((handle < 0) || (handle >= MAX_HANDLES)) { \ - E_printf("Invalid Handle handle=%x\n", handle); \ - SETHIGH(&(state->eax), EMM_INV_HAN); \ - return; \ - } \ - if (handle_info[handle].active == 0) { \ - E_printf("Invalid Handle handle=%x, active=%d\n", \ - handle, handle_info[handle].active); \ - SETHIGH(&(state->eax), EMM_INV_HAN); \ - return; \ - } - /* this will have to change...0 counts are allowed */ #define HANDLE_ALLOCATED(handle) \ (handle_info[handle].active) @@ -371,16 +358,31 @@ emm_allocate_handle(int pages_needed) return (EMM_ERROR); } +static boolean_t emm_valid_handle(int handle) +{ + if ((handle < 0) || (handle >= MAX_HANDLES)) { + E_printf("EMS: Invalid Handle handle=%x\n", handle); + return FALSE; + } + + if (handle_info[handle].active == 0) { + E_printf("EMS: Invalid Handle handle=%x, active=%d\n", + handle, handle_info[handle].active); + return FALSE; + } + + return TRUE; +} + static boolean_t emm_deallocate_handle(int handle) { int numpages, i; void *object; - if ((handle < 0) || (handle >= MAX_HANDLES)) - return (FALSE); - if (handle_info[handle].active != 1) + if (!emm_valid_handle(handle)) return (FALSE); + for (i = 0; i < phys_pages; i++) { if (emm_map[i].handle == handle) { unmap_page(i); @@ -589,15 +591,9 @@ do_map_unmap(int handle, int physical_page, int logical_page) unmap_page(physical_page); } else { - if ((handle < 0) || (handle >= MAX_HANDLES)) { - E_printf("Invalid Handle handle=%x\n", handle); - return EMM_INV_HAN; - } - if (handle_info[handle].active == 0) { - E_printf("Invalid Handle handle=%x, active=%d\n", - handle, handle_info[handle].active); + if (!emm_valid_handle(handle)) return EMM_INV_HAN; - } + CHECK_OS_HANDLE(handle); if (logical_page >= handle_info[handle].numpages) { E_printf("Logical page too high logical_page=%d, numpages=%d\n", @@ -768,7 +764,11 @@ map_unmap_multiple(state_t * state) int ret; Kdebug0((dbg_fd, "map_unmap_multiple %d called\n", method)); - CHECK_HANDLE(handle); + + if (!emm_valid_handle(handle)) { + SETHIGH(&(state->eax), EMM_INV_HAN); + return; + } switch (method) { case MULT_LOGPHYS: @@ -801,12 +801,7 @@ reallocate_pages(state_t * state) int newcount = WORD(state->ebx); void *obj; - if ((handle < 0) || (handle >= MAX_HANDLES)) { - SETHIGH(&(state->eax), EMM_INV_HAN); - return; - } - - if (!handle_info[handle].active) { /* no-handle */ + if (!emm_valid_handle(handle)) { Kdebug0((dbg_fd, "reallocate_pages handle %d invalid\n", handle)); SETHIGH(&(state->eax), EMM_INV_HAN); return; @@ -950,7 +945,11 @@ handle_name(state_t * state) int handle = WORD(state->edx); u_char *array = (u_char *) Addr(state, es, edi); - CHECK_HANDLE(handle); + if (!emm_valid_handle(handle)) { + SETHIGH(&(state->eax), EMM_INV_HAN); + return; + } + handle_info[handle].name[8] = 0; Kdebug0((dbg_fd, "get handle name %d = %s\n", handle, handle_info[handle].name)); @@ -968,7 +967,11 @@ handle_name(state_t * state) E_printf("SET_NAME of %8.8s\n", (u_char *)array); - CHECK_HANDLE(handle); + if (!emm_valid_handle(handle)) { + SETHIGH(&(state->eax), EMM_INV_HAN); + return; + } + memmove(handle_info[handle].name, array, 8); handle_info[handle].name[8] = 0; @@ -1842,13 +1845,7 @@ ems_fn(state) if (handle == OS_HANDLE) E_printf("EMS: trying to use OS handle in DEALLOCATE_HANDLE\n"); - if ((handle < 0) || (handle >= MAX_HANDLES)) { - E_printf("EMS: Invalid Handle\n"); - SETHIGH(&(state->eax), EMM_INV_HAN); - return (UNCHANGED); - } - if (handle_info[handle].active == 0) { - E_printf("EMS: Invalid Handle\n"); + if (!emm_valid_handle(handle)) { SETHIGH(&(state->eax), EMM_INV_HAN); return (UNCHANGED); } @@ -1873,11 +1870,7 @@ ems_fn(state) if (handle == OS_HANDLE) E_printf("EMS: trying to use OS handle in SAVE_PAGE_MAP\n"); - if ((handle < 0) || (handle >= MAX_HANDLES)) { - SETHIGH(&(state->eax), EMM_INV_HAN); - return (UNCHANGED); - } - if (handle_info[handle].active == 0) { + if (!emm_valid_handle(handle)) { SETHIGH(&(state->eax), EMM_INV_HAN); return (UNCHANGED); } @@ -1895,11 +1888,7 @@ ems_fn(state) if (handle == OS_HANDLE) E_printf("EMS: trying to use OS handle in RESTORE_PAGE_MAP\n"); - if ((handle < 0) || (handle >= MAX_HANDLES)) { - SETHIGH(&(state->eax), EMM_INV_HAN); - return (UNCHANGED); - } - if (handle_info[handle].active == 0) { + if (!emm_valid_handle(handle)) { SETHIGH(&(state->eax), EMM_INV_HAN); return (UNCHANGED); } @@ -1929,13 +1918,7 @@ ems_fn(state) Kdebug1((dbg_fd, "bios_emm: Get Pages Owned, han-0x%x\n", handle)); - if ((handle < 0) || (handle >= MAX_HANDLES)) { - SETHIGH(&(state->eax), EMM_INV_HAN); - SETWORD(&(state->ebx), 0); - return (UNCHANGED); - } - - if (handle_info[handle].active == 0) { + if (!emm_valid_handle(handle)) { SETHIGH(&(state->eax), EMM_INV_HAN); SETWORD(&(state->ebx), 0); return (UNCHANGED); -- 1.7.9.5 --nextPart3726963.i5OvszIMX8 Content-Disposition: attachment; filename="0002-EMM-Fix-potential-array-overrun.patch" Content-Transfer-Encoding: 7Bit Content-Type: text/x-patch; charset="UTF-8"; name="0002-EMM-Fix-potential-array-overrun.patch" >From c10dd27818d9bf61b8633f1d44153599a98f8b94 Mon Sep 17 00:00:00 2001 From: Andrew Bird Date: Fri, 28 Mar 2014 15:56:11 +0000 Subject: [PATCH 2/8] EMM: Fix potential array overrun. The maximum number of EMM handles is defined as 255 and consequently the handle_info array is sized to have valid values of 0..254. The code checks for out of bounds values < 0 and > 254 *OR* handle_info[handle].active == 0, so there is the potential to overrun the handle_info array if the handle is invalid, this patch corrects that. --- src/dosext/misc/emm.c | 46 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/src/dosext/misc/emm.c b/src/dosext/misc/emm.c index 7cf96ea..cadf3dc 100644 --- a/src/dosext/misc/emm.c +++ b/src/dosext/misc/emm.c @@ -211,8 +211,12 @@ static u_short os_allow=1; { memmove((nameptr), (name), 8); nameptr[8]=0; } #define CHECK_HANDLE(handle) \ - if ((handle < 0) || (handle >= MAX_HANDLES) || \ - (handle_info[handle].active == 0)) { \ + if ((handle < 0) || (handle >= MAX_HANDLES)) { \ + E_printf("Invalid Handle handle=%x\n", handle); \ + SETHIGH(&(state->eax), EMM_INV_HAN); \ + return; \ + } \ + if (handle_info[handle].active == 0) { \ E_printf("Invalid Handle handle=%x, active=%d\n", \ handle, handle_info[handle].active); \ SETHIGH(&(state->eax), EMM_INV_HAN); \ @@ -585,8 +589,11 @@ do_map_unmap(int handle, int physical_page, int logical_page) unmap_page(physical_page); } else { - if ((handle < 0) || (handle >= MAX_HANDLES) || - (handle_info[handle].active == 0)) { + if ((handle < 0) || (handle >= MAX_HANDLES)) { + E_printf("Invalid Handle handle=%x\n", handle); + return EMM_INV_HAN; + } + if (handle_info[handle].active == 0) { E_printf("Invalid Handle handle=%x, active=%d\n", handle, handle_info[handle].active); return EMM_INV_HAN; @@ -1835,8 +1842,12 @@ ems_fn(state) if (handle == OS_HANDLE) E_printf("EMS: trying to use OS handle in DEALLOCATE_HANDLE\n"); - if ((handle < 0) || (handle >= MAX_HANDLES) || - (handle_info[handle].active == 0)) { + if ((handle < 0) || (handle >= MAX_HANDLES)) { + E_printf("EMS: Invalid Handle\n"); + SETHIGH(&(state->eax), EMM_INV_HAN); + return (UNCHANGED); + } + if (handle_info[handle].active == 0) { E_printf("EMS: Invalid Handle\n"); SETHIGH(&(state->eax), EMM_INV_HAN); return (UNCHANGED); @@ -1862,8 +1873,11 @@ ems_fn(state) if (handle == OS_HANDLE) E_printf("EMS: trying to use OS handle in SAVE_PAGE_MAP\n"); - if ((handle < 0) || (handle >= MAX_HANDLES) || - (handle_info[handle].active == 0)) { + if ((handle < 0) || (handle >= MAX_HANDLES)) { + SETHIGH(&(state->eax), EMM_INV_HAN); + return (UNCHANGED); + } + if (handle_info[handle].active == 0) { SETHIGH(&(state->eax), EMM_INV_HAN); return (UNCHANGED); } @@ -1881,8 +1895,11 @@ ems_fn(state) if (handle == OS_HANDLE) E_printf("EMS: trying to use OS handle in RESTORE_PAGE_MAP\n"); - if ((handle < 0) || (handle >= MAX_HANDLES) || - (handle_info[handle].active == 0)) { + if ((handle < 0) || (handle >= MAX_HANDLES)) { + SETHIGH(&(state->eax), EMM_INV_HAN); + return (UNCHANGED); + } + if (handle_info[handle].active == 0) { SETHIGH(&(state->eax), EMM_INV_HAN); return (UNCHANGED); } @@ -1912,8 +1929,13 @@ ems_fn(state) Kdebug1((dbg_fd, "bios_emm: Get Pages Owned, han-0x%x\n", handle)); - if ((handle < 0) || (handle >= MAX_HANDLES) || - (handle_info[handle].active == 0)) { + if ((handle < 0) || (handle >= MAX_HANDLES)) { + SETHIGH(&(state->eax), EMM_INV_HAN); + SETWORD(&(state->ebx), 0); + return (UNCHANGED); + } + + if (handle_info[handle].active == 0) { SETHIGH(&(state->eax), EMM_INV_HAN); SETWORD(&(state->ebx), 0); return (UNCHANGED); -- 1.7.9.5 --nextPart3726963.i5OvszIMX8 Content-Disposition: attachment; filename="0004-XMS-Avoid-negative-indexing-into-an-array-if-functio.patch" Content-Transfer-Encoding: 7Bit Content-Type: text/x-patch; charset="UTF-8"; name="0004-XMS-Avoid-negative-indexing-into-an-array-if-functio.patch" >From f098f471ee410aa1c09099b61cbd8aee4c7ca3fd Mon Sep 17 00:00:00 2001 From: Andrew Bird Date: Fri, 28 Mar 2014 17:19:56 +0000 Subject: [PATCH 4/8] XMS: Avoid negative indexing into an array if function returns error The umb_find_unused() function may return UMB_NULL (-1) if it failed to find a free umb. This patch tests the result before indexing into the 'umbs' array with it --- src/dosext/misc/xms.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/dosext/misc/xms.c b/src/dosext/misc/xms.c index 4af8046..0c3a8b6 100644 --- a/src/dosext/misc/xms.c +++ b/src/dosext/misc/xms.c @@ -126,9 +126,14 @@ umb_setup(void) addr_start = 0x00000; /* start address */ while ((size = memcheck_findhole(&addr_start, 1024, 0x100000)) != 0) { Debug0((dbg_fd, "findhole - from 0x%5.5zX, %dKb\n", addr_start, size/1024)); - memcheck_reserve('U', addr_start, size); umb = umb_find_unused(); + if (umb == UMB_NULL) { + Debug0((dbg_fd, "umb_setup: no unused umb found\n")); + continue; + } + + memcheck_reserve('U', addr_start, size); umbs[umb].in_use = TRUE; umbs[umb].free = TRUE; umbs[umb].addr = addr_start; -- 1.7.9.5 --nextPart3726963.i5OvszIMX8 Content-Disposition: attachment; filename="0005-Fix-use-after-free-in-error-path.patch" Content-Transfer-Encoding: 7Bit Content-Type: text/x-patch; charset="UTF-8"; name="0005-Fix-use-after-free-in-error-path.patch" >From 837676b8f880b250dd1fb51f46981e8e9eabb9d7 Mon Sep 17 00:00:00 2001 From: Andrew Bird Date: Fri, 28 Mar 2014 17:26:50 +0000 Subject: [PATCH 5/8] Fix use after free in error path --- src/arch/linux/debugger/dosdebug.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/arch/linux/debugger/dosdebug.c b/src/arch/linux/debugger/dosdebug.c index af0d88f..d4ffda4 100644 --- a/src/arch/linux/debugger/dosdebug.c +++ b/src/arch/linux/debugger/dosdebug.c @@ -68,9 +68,12 @@ static int find_dosemu_pid(char *tmpfile, int local) dir = opendir(dn); if (!dir) { - free(dn); - if (local) return -1; + if (local) { + free(dn); + return -1; + } fprintf(stderr, "can't open directory %s\n",dn); + free(dn); exit(1); } i = 0; -- 1.7.9.5 --nextPart3726963.i5OvszIMX8--