code.vuplus.com Git - vuplus_openembedded/blob - packages/linux/openzaurus-pxa27x-2.4.20-rmk2-embedix20050602/P09-ext3-isofs-fix_041216.patch

   1 diff -Nur c3000_pre/linux/drivers/char/drm/r128_state.c c3000_work/linux/drivers/char/drm/r128_state.c
   2 --- c3000_pre/linux/drivers/char/drm/r128_state.c       2004-08-21 09:48:33.000000000 +0900
   3 +++ c3000_work/linux/drivers/char/drm/r128_state.c      2004-12-16 21:11:04.000000000 +0900
   4 @@ -23,8 +23,22 @@
   5   * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
   6   * DEALINGS IN THE SOFTWARE.
   7   *
   8 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
   9 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  10 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
  11 + * RED HAT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
  12 + * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
  13 + * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
  14 + * DEALINGS IN THE SOFTWARE.
  15 + *
  16 + * THIS SOFTWARE IS NOT INTENDED FOR USE IN SAFETY CRITICAL SYSTEMS
  17 + *
  18   * Authors:
  19   *    Gareth Hughes <gareth@valinux.com>
  20 + *
  21 + * Memory allocation size checks added 14/01/2003, Alan Cox <alan@redhat.com>
  22 + * Memory allocation size checks enhanced 16/02/2004, Thomas Biege <thomas@suse.de>
  23 + *
  24   */
  25
  26  #include "r128.h"
  27 @@ -902,6 +916,9 @@
  28         DRM_DEBUG( "%s\n", __FUNCTION__ );
  29
  30         count = depth->n;
  31 +
  32 +       if( count > 4096 || count <= 0)
  33 +               return -EMSGSIZE;
  34         if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
  35                 return -EFAULT;
  36         }
  37 @@ -996,6 +1013,9 @@
  38
  39         count = depth->n;
  40
  41 +       if( count > 4096 || count <= 0)
  42 +               return -EMSGSIZE;
  43 +
  44         x = kmalloc( count * sizeof(*x), GFP_KERNEL );
  45         if ( x == NULL ) {
  46                 return -ENOMEM;
  47 @@ -1110,6 +1130,9 @@
  48         DRM_DEBUG( "%s\n", __FUNCTION__ );
  49
  50         count = depth->n;
  51 +
  52 +       if ( count > 4096 || count <= 0)
  53 +               return -EMSGSIZE;
  54         if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
  55                 return -EFAULT;
  56         }
  57 @@ -1152,9 +1175,14 @@
  58         DRM_DEBUG( "%s\n", __FUNCTION__ );
  59
  60         count = depth->n;
  61 +       if ( count > 4096 || count <= 0)
  62 +               return -EMSGSIZE;
  63         if ( count > dev_priv->depth_pitch ) {
  64                 count = dev_priv->depth_pitch;
  65         }
  66 +       if( count * sizeof(int) <= 0 || count * sizeof(*x) <= 0 || count * sizeof(*y) <= 0)
  67 +               return -EMSGSIZE;
  68 +
  69
  70         x = kmalloc( count * sizeof(*x), GFP_KERNEL );
  71         if ( x == NULL ) {
  72 diff -Nur c3000_pre/linux/drivers/char/drm-4.0/r128_state.c c3000_work/linux/drivers/char/drm-4.0/r128_state.c
  73 --- c3000_pre/linux/drivers/char/drm-4.0/r128_state.c   2004-08-21 09:48:33.000000000 +0900
  74 +++ c3000_work/linux/drivers/char/drm-4.0/r128_state.c  2004-12-16 21:11:04.000000000 +0900
  75 @@ -26,6 +26,8 @@
  76   * Authors:
  77   *    Gareth Hughes <gareth@valinux.com>
  78   *
  79 + * Memory allocation size checks added 16/02/2004, Thomas Biege <thomas@suse.de>
  80 + *
  81   */
  82
  83  #define __NO_VERSION__
  84 @@ -938,6 +940,9 @@
  85         }
  86
  87         count = depth->n;
  88 +
  89 +       if( count > 4096 || count <= 0)
  90 +               return -EMSGSIZE;
  91         if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
  92                 return -EFAULT;
  93         }
  94 @@ -1047,6 +1052,9 @@
  95         }
  96
  97         count = depth->n;
  98 +       if( count > 4096 || count <= 0 || count * sizeof(*x) <= 0 ||
  99 +           count * sizeof(*y) <= 0)
 100 +               return -EMSGSIZE;
 101
 102         x = kmalloc( count * sizeof(*x), 0 );
 103         if ( x == NULL ) {
 104 @@ -1178,6 +1186,9 @@
 105         }
 106
 107         count = depth->n;
 108 +
 109 +       if ( count > 4096 || count <= 0)
 110 +               return -EMSGSIZE;
 111         if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
 112                 return -EFAULT;
 113         }
 114 @@ -1235,9 +1246,13 @@
 115         }
 116
 117         count = depth->n;
 118 +       if ( count > 4096 || count <= 0)
 119 +               return -EMSGSIZE;
 120         if ( count > dev_priv->depth_pitch ) {
 121                 count = dev_priv->depth_pitch;
 122         }
 123 +       if( count * sizeof(int) <= 0 || count * sizeof(*x) <= 0 || count * sizeof(*y) <= 0)
 124 +               return -EMSGSIZE;
 125
 126         x = kmalloc( count * sizeof(*x), 0 );
 127         if ( x == NULL ) {
 128 diff -Nur c3000_pre/linux/drivers/sound/sb_audio.c c3000_work/linux/drivers/sound/sb_audio.c
 129 --- c3000_pre/linux/drivers/sound/sb_audio.c    2004-08-21 09:48:54.000000000 +0900
 130 +++ c3000_work/linux/drivers/sound/sb_audio.c   2004-12-16 21:11:04.000000000 +0900
 131 @@ -879,7 +879,7 @@
 132                         c -= locallen; p += locallen;
 133                 }
 134                 /* used = ( samples * 16 bits size ) */
 135 -               *used = len << 1;
 136 +               *used = (max_in > (max_out << 1)) ? (max_out << 1) : max_in;
 137                 /* returned = ( samples * 8 bits size ) */
 138                 *returned = len;
 139         }
 140 diff -Nur c3000_pre/linux/fs/isofs/dir.c c3000_work/linux/fs/isofs/dir.c
 141 --- c3000_pre/linux/fs/isofs/dir.c      2004-08-21 09:48:59.000000000 +0900
 142 +++ c3000_work/linux/fs/isofs/dir.c     2004-12-16 21:11:04.000000000 +0900
 143 @@ -63,7 +63,8 @@
 144                         break;
 145
 146                 /* Convert remaining ';' to '.' */
 147 -               if (c == ';')
 148 +               /* Also '/' to '.' (broken Acorn-generated ISO9660 images) */
 149 +               if (c == ';' || c == '/')
 150                         c = '.';
 151
 152                 new[i] = c;
 153 diff -Nur c3000_pre/linux/fs/jbd/journal.c c3000_work/linux/fs/jbd/journal.c
 154 --- c3000_pre/linux/fs/jbd/journal.c    2004-08-21 09:48:59.000000000 +0900
 155 +++ c3000_work/linux/fs/jbd/journal.c   2004-12-16 21:11:04.000000000 +0900
 156 @@ -671,6 +671,7 @@
 157
 158         bh = getblk(journal->j_dev, blocknr, journal->j_blocksize);
 159         lock_buffer(bh);
 160 +       memset(bh->b_data, 0, journal->j_blocksize);
 161         BUFFER_TRACE(bh, "return this buffer");
 162         return journal_add_journal_head(bh);
 163  }
 164 diff -Nur c3000_pre/linux/fs/ncpfs/dir.c c3000_work/linux/fs/ncpfs/dir.c
 165 --- c3000_pre/linux/fs/ncpfs/dir.c      2004-08-21 09:49:00.000000000 +0900
 166 +++ c3000_work/linux/fs/ncpfs/dir.c     2004-12-16 21:11:04.000000000 +0900
 167 @@ -266,8 +266,8 @@
 168         struct ncp_server *server;
 169         struct inode *dir = dentry->d_parent->d_inode;
 170         struct ncp_entry_info finfo;
 171 -       int res, val = 0, len = dentry->d_name.len + 1;
 172 -       __u8 __name[len];
 173 +       int res, val = 0, len;
 174 +       __u8 __name[NCP_MAXPATHLEN + 1];
 175
 176         if (!dentry->d_inode || !dir)
 177                 goto finished;
 178 @@ -291,14 +291,15 @@
 179                 dentry->d_parent->d_name.name, dentry->d_name.name,
 180                 NCP_GET_AGE(dentry));
 181
 182 +       len = sizeof(__name);
 183         if (ncp_is_server_root(dir)) {
 184                 res = ncp_io2vol(server, __name, &len, dentry->d_name.name,
 185 -                                               len-1, 1);
 186 +                                dentry->d_name.len, 1);
 187                 if (!res)
 188                         res = ncp_lookup_volume(server, __name, &(finfo.i));
 189         } else {
 190                 res = ncp_io2vol(server, __name, &len, dentry->d_name.name,
 191 -                                               len-1, !ncp_preserve_case(dir));
 192 +                                dentry->d_name.len, !ncp_preserve_case(dir));
 193                 if (!res)
 194                         res = ncp_obtain_info(server, dir, __name, &(finfo.i));
 195         }
 196 @@ -548,9 +549,9 @@
 197         int valid = 0;
 198         int hashed = 0;
 199         ino_t ino = 0;
 200 -       __u8 __name[256];
 201 +       __u8 __name[NCP_MAXPATHLEN + 1];
 202
 203 -       qname.len = 256;
 204 +       qname.len = sizeof(__name);
 205         if (ncp_vol2io(NCP_SERVER(inode), __name, &qname.len,
 206                         entry->i.entryName, entry->i.nameLen,
 207                         !ncp_preserve_entry_case(inode, entry->i.NSCreator)))
 208 @@ -705,16 +706,19 @@
 209  {
 210         struct ncp_server* server = NCP_SBP(sb);
 211         struct nw_info_struct i;
 212 -       int result, len = strlen(server->m.mounted_vol) + 1;
 213 -       __u8 __name[len];
 214 +       int result;
 215
 216         if (ncp_single_volume(server)) {
 217 +               int len;
 218                 struct dentry* dent;
 219 +               __u8 __name[NCP_MAXPATHLEN + 1];
 220
 221 -               result = -ENOENT;
 222 -               if (ncp_io2vol(server, __name, &len, server->m.mounted_vol,
 223 -                                                               len-1, 1))
 224 +               len = sizeof(__name);
 225 +               result = ncp_io2vol(server, __name, &len, server->m.mounted_vol,
 226 +                                   strlen(server->m.mounted_vol), 1);
 227 +               if (result)
 228                         goto out;
 229 +               result = -ENOENT;
 230                 if (ncp_lookup_volume(server, __name, &i)) {
 231                         PPRINTK("ncp_conn_logged_in: %s not found\n",
 232                                 server->m.mounted_vol);
 233 @@ -745,8 +749,8 @@
 234         struct ncp_server *server = NCP_SERVER(dir);
 235         struct inode *inode = NULL;
 236         struct ncp_entry_info finfo;
 237 -       int error, res, len = dentry->d_name.len + 1;
 238 -       __u8 __name[len];
 239 +       int error, res, len;
 240 +       __u8 __name[NCP_MAXPATHLEN + 1];
 241
 242         error = -EIO;
 243         if (!ncp_conn_valid(server))
 244 @@ -755,14 +759,15 @@
 245         PPRINTK("ncp_lookup: server lookup for %s/%s\n",
 246                 dentry->d_parent->d_name.name, dentry->d_name.name);
 247
 248 +       len = sizeof(__name);
 249         if (ncp_is_server_root(dir)) {
 250                 res = ncp_io2vol(server, __name, &len, dentry->d_name.name,
 251 -                                               len-1, 1);
 252 +                                               dentry->d_name.len, 1);
 253                 if (!res)
 254                         res = ncp_lookup_volume(server, __name, &(finfo.i));
 255         } else {
 256                 res = ncp_io2vol(server, __name, &len, dentry->d_name.name,
 257 -                                               len-1, !ncp_preserve_case(dir));
 258 +                                dentry->d_name.len, !ncp_preserve_case(dir));
 259                 if (!res)
 260                         res = ncp_obtain_info(server, dir, __name, &(finfo.i));
 261         }
 262 @@ -825,9 +830,9 @@
 263  {
 264         struct ncp_server *server = NCP_SERVER(dir);
 265         struct ncp_entry_info finfo;
 266 -       int error, result, len = dentry->d_name.len + 1;
 267 +       int error, result, len;
 268         int opmode;
 269 -       __u8 __name[len];
 270 +       __u8 __name[NCP_MAXPATHLEN + 1];
 271
 272         PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
 273                 dentry->d_parent->d_name.name, dentry->d_name.name, mode);
 274 @@ -836,8 +841,9 @@
 275                 goto out;
 276
 277         ncp_age_dentry(server, dentry);
 278 +       len = sizeof(__name);
 279         error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
 280 -                                               len-1, !ncp_preserve_case(dir));
 281 +                          dentry->d_name.len, !ncp_preserve_case(dir));
 282         if (error)
 283                 goto out;
 284
 285 @@ -880,8 +886,8 @@
 286  {
 287         struct ncp_entry_info finfo;
 288         struct ncp_server *server = NCP_SERVER(dir);
 289 -       int error, len = dentry->d_name.len + 1;
 290 -       __u8 __name[len];
 291 +       int error, len;
 292 +       __u8 __name[NCP_MAXPATHLEN + 1];
 293
 294         DPRINTK("ncp_mkdir: making %s/%s\n",
 295                 dentry->d_parent->d_name.name, dentry->d_name.name);
 296 @@ -890,8 +896,9 @@
 297                 goto out;
 298
 299         ncp_age_dentry(server, dentry);
 300 +       len = sizeof(__name);
 301         error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
 302 -                                               len-1, !ncp_preserve_case(dir));
 303 +                          dentry->d_name.len, !ncp_preserve_case(dir));
 304         if (error)
 305                 goto out;
 306
 307 @@ -909,8 +916,8 @@
 308  static int ncp_rmdir(struct inode *dir, struct dentry *dentry)
 309  {
 310         struct ncp_server *server = NCP_SERVER(dir);
 311 -       int error, result, len = dentry->d_name.len + 1;
 312 -       __u8 __name[len];
 313 +       int error, result, len;
 314 +       __u8 __name[NCP_MAXPATHLEN + 1];
 315
 316         DPRINTK("ncp_rmdir: removing %s/%s\n",
 317                 dentry->d_parent->d_name.name, dentry->d_name.name);
 318 @@ -923,8 +930,9 @@
 319         if (!d_unhashed(dentry))
 320                 goto out;
 321
 322 +       len = sizeof(__name);
 323         error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
 324 -                                               len-1, !ncp_preserve_case(dir));
 325 +                          dentry->d_name.len, !ncp_preserve_case(dir));
 326         if (error)
 327                 goto out;
 328
 329 @@ -1022,9 +1030,8 @@
 330  {
 331         struct ncp_server *server = NCP_SERVER(old_dir);
 332         int error;
 333 -       int old_len = old_dentry->d_name.len + 1;
 334 -       int new_len = new_dentry->d_name.len + 1;
 335 -       __u8 __old_name[old_len], __new_name[new_len];
 336 +       int old_len, new_len;
 337 +       __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
 338
 339         DPRINTK("ncp_rename: %s/%s to %s/%s\n",
 340                 old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
 341 @@ -1037,14 +1044,16 @@
 342         ncp_age_dentry(server, old_dentry);
 343         ncp_age_dentry(server, new_dentry);
 344
 345 +       old_len = sizeof(__old_name);
 346         error = ncp_io2vol(server, __old_name, &old_len,
 347 -                                       old_dentry->d_name.name, old_len-1,
 348 +                          old_dentry->d_name.name, old_dentry->d_name.len,
 349                                         !ncp_preserve_case(old_dir));
 350         if (error)
 351                 goto out;
 352
 353 +       new_len = sizeof(__new_name);
 354         error = ncp_io2vol(server, __new_name, &new_len,
 355 -                                       new_dentry->d_name.name, new_len-1,
 356 +                          new_dentry->d_name.name, new_dentry->d_name.len,
 357                                         !ncp_preserve_case(new_dir));
 358         if (error)
 359                 goto out;