fs: Check offset and length more carefully in mmap callback

Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>
This commit is contained in:
Xiang Xiao 2023-01-03 01:27:25 +08:00 committed by Petro Karashchenko
parent b0a0ba3ad7
commit 7179d57026
5 changed files with 25 additions and 14 deletions

View file

@ -686,7 +686,8 @@ static int fb_mmap(FAR struct file *filep, FAR struct mm_map_entry_s *map)
/* Return the address corresponding to the start of frame buffer. */
if (map->offset + map->length <= fb->fblen)
if (map->offset >= 0 && map->offset < fb->fblen &&
map->length && map->offset + map->length <= fb->fblen)
{
map->vaddr = (FAR char *)fb->fbmem + map->offset;
ret = OK;

View file

@ -1582,6 +1582,12 @@ static size_t get_bufsize(FAR video_format_t *vf)
}
}
static size_t get_heapsize(FAR video_type_inf_t *type_inf)
{
return type_inf->bufinf.container_size *
get_bufsize(&type_inf->fmt[VIDEO_FMT_MAIN]);
}
static int video_try_fmt(FAR struct video_mng_s *priv,
FAR struct v4l2_format *v4l2)
{
@ -3195,13 +3201,16 @@ static int video_ioctl(FAR struct file *filep, int cmd, unsigned long arg)
static int video_mmap(FAR struct file *filep, FAR struct mm_map_entry_s *map)
{
FAR struct inode *inode = filep->f_inode;
FAR video_mng_t *priv = (FAR video_mng_t *)inode->i_private;
int ret = -EINVAL;
FAR struct inode *inode = filep->f_inode;
FAR video_mng_t *priv = (FAR video_mng_t *)inode->i_private;
FAR video_type_inf_t *type_inf = &priv->video_inf;
size_t heapsize = get_heapsize(type_inf);
int ret = -EINVAL;
if (map)
if (map->offset >= 0 && map->offset < heapsize &&
map->length && map->offset + map->length <= heapsize)
{
map->vaddr = priv->video_inf.bufheap + map->offset;
map->vaddr = type_inf->bufheap + map->offset;
ret = OK;
}

View file

@ -580,7 +580,7 @@ errout_with_lock:
static int romfs_ioctl(FAR struct file *filep, int cmd, unsigned long arg)
{
FAR struct romfs_file_s *rf;
FAR struct romfs_file_s *rf;
finfo("cmd: %d arg: %08lx\n", cmd, arg);
@ -625,8 +625,8 @@ static int romfs_mmap(FAR struct file *filep, FAR struct mm_map_entry_s *map)
* the file.
*/
if (map && rm && rm->rm_xipbase && rf &&
map->offset + map->length <= rf->rf_size)
if (rm->rm_xipbase && map->offset >= 0 && map->offset < rf->rf_size &&
map->length != 0 && map->offset + map->length <= rf->rf_size)
{
map->vaddr = rm->rm_xipbase + rf->rf_startoffset + map->offset;
ret = OK;

View file

@ -109,7 +109,7 @@ static int rpmsgfs_fstat(FAR const struct file *filep,
FAR struct stat *buf);
static int rpmsgfs_fchstat(FAR const struct file *filep,
FAR const struct stat *buf, int flags);
static int rpmsgfs_ftruncate(FAR struct file *filep,
static int rpmsgfs_truncate(FAR struct file *filep,
off_t length);
static int rpmsgfs_opendir(FAR struct inode *mountpt,
@ -162,7 +162,7 @@ const struct mountpt_operations rpmsgfs_operations =
rpmsgfs_seek, /* seek */
rpmsgfs_ioctl, /* ioctl */
NULL, /* mmap */
rpmsgfs_ftruncate, /* ftruncate */
rpmsgfs_truncate, /* truncate */
rpmsgfs_sync, /* sync */
rpmsgfs_dup, /* dup */
@ -804,7 +804,7 @@ static int rpmsgfs_fchstat(FAR const struct file *filep,
}
/****************************************************************************
* Name: rpmsgfs_ftruncate
* Name: rpmsgfs_truncate
*
* Description:
* Set the length of the open, regular file associated with the file
@ -812,7 +812,7 @@ static int rpmsgfs_fchstat(FAR const struct file *filep,
*
****************************************************************************/
static int rpmsgfs_ftruncate(FAR struct file *filep, off_t length)
static int rpmsgfs_truncate(FAR struct file *filep, off_t length)
{
FAR struct inode *inode;
FAR struct rpmsgfs_mountpt_s *fs;

View file

@ -1655,7 +1655,8 @@ static int tmpfs_mmap(FAR struct file *filep, FAR struct mm_map_entry_s *map)
DEBUGASSERT(tfo != NULL);
if (map && map->offset + map->length <= tfo->tfo_size)
if (map->offset >= 0 && map->offset < tfo->tfo_size &&
map->length && map->offset + map->length <= tfo->tfo_size)
{
map->vaddr = tfo->tfo_data + map->offset;
ret = OK;