fs: Check offset and length more carefully in mmap callback
Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>
This commit is contained in:
parent
b0a0ba3ad7
commit
7179d57026
|
@ -686,7 +686,8 @@ static int fb_mmap(FAR struct file *filep, FAR struct mm_map_entry_s *map)
|
|||
|
||||
/* Return the address corresponding to the start of frame buffer. */
|
||||
|
||||
if (map->offset + map->length <= fb->fblen)
|
||||
if (map->offset >= 0 && map->offset < fb->fblen &&
|
||||
map->length && map->offset + map->length <= fb->fblen)
|
||||
{
|
||||
map->vaddr = (FAR char *)fb->fbmem + map->offset;
|
||||
ret = OK;
|
||||
|
|
|
@ -1582,6 +1582,12 @@ static size_t get_bufsize(FAR video_format_t *vf)
|
|||
}
|
||||
}
|
||||
|
||||
static size_t get_heapsize(FAR video_type_inf_t *type_inf)
|
||||
{
|
||||
return type_inf->bufinf.container_size *
|
||||
get_bufsize(&type_inf->fmt[VIDEO_FMT_MAIN]);
|
||||
}
|
||||
|
||||
static int video_try_fmt(FAR struct video_mng_s *priv,
|
||||
FAR struct v4l2_format *v4l2)
|
||||
{
|
||||
|
@ -3197,11 +3203,14 @@ static int video_mmap(FAR struct file *filep, FAR struct mm_map_entry_s *map)
|
|||
{
|
||||
FAR struct inode *inode = filep->f_inode;
|
||||
FAR video_mng_t *priv = (FAR video_mng_t *)inode->i_private;
|
||||
FAR video_type_inf_t *type_inf = &priv->video_inf;
|
||||
size_t heapsize = get_heapsize(type_inf);
|
||||
int ret = -EINVAL;
|
||||
|
||||
if (map)
|
||||
if (map->offset >= 0 && map->offset < heapsize &&
|
||||
map->length && map->offset + map->length <= heapsize)
|
||||
{
|
||||
map->vaddr = priv->video_inf.bufheap + map->offset;
|
||||
map->vaddr = type_inf->bufheap + map->offset;
|
||||
ret = OK;
|
||||
}
|
||||
|
||||
|
|
|
@ -625,8 +625,8 @@ static int romfs_mmap(FAR struct file *filep, FAR struct mm_map_entry_s *map)
|
|||
* the file.
|
||||
*/
|
||||
|
||||
if (map && rm && rm->rm_xipbase && rf &&
|
||||
map->offset + map->length <= rf->rf_size)
|
||||
if (rm->rm_xipbase && map->offset >= 0 && map->offset < rf->rf_size &&
|
||||
map->length != 0 && map->offset + map->length <= rf->rf_size)
|
||||
{
|
||||
map->vaddr = rm->rm_xipbase + rf->rf_startoffset + map->offset;
|
||||
ret = OK;
|
||||
|
|
|
@ -109,7 +109,7 @@ static int rpmsgfs_fstat(FAR const struct file *filep,
|
|||
FAR struct stat *buf);
|
||||
static int rpmsgfs_fchstat(FAR const struct file *filep,
|
||||
FAR const struct stat *buf, int flags);
|
||||
static int rpmsgfs_ftruncate(FAR struct file *filep,
|
||||
static int rpmsgfs_truncate(FAR struct file *filep,
|
||||
off_t length);
|
||||
|
||||
static int rpmsgfs_opendir(FAR struct inode *mountpt,
|
||||
|
@ -162,7 +162,7 @@ const struct mountpt_operations rpmsgfs_operations =
|
|||
rpmsgfs_seek, /* seek */
|
||||
rpmsgfs_ioctl, /* ioctl */
|
||||
NULL, /* mmap */
|
||||
rpmsgfs_ftruncate, /* ftruncate */
|
||||
rpmsgfs_truncate, /* truncate */
|
||||
|
||||
rpmsgfs_sync, /* sync */
|
||||
rpmsgfs_dup, /* dup */
|
||||
|
@ -804,7 +804,7 @@ static int rpmsgfs_fchstat(FAR const struct file *filep,
|
|||
}
|
||||
|
||||
/****************************************************************************
|
||||
* Name: rpmsgfs_ftruncate
|
||||
* Name: rpmsgfs_truncate
|
||||
*
|
||||
* Description:
|
||||
* Set the length of the open, regular file associated with the file
|
||||
|
@ -812,7 +812,7 @@ static int rpmsgfs_fchstat(FAR const struct file *filep,
|
|||
*
|
||||
****************************************************************************/
|
||||
|
||||
static int rpmsgfs_ftruncate(FAR struct file *filep, off_t length)
|
||||
static int rpmsgfs_truncate(FAR struct file *filep, off_t length)
|
||||
{
|
||||
FAR struct inode *inode;
|
||||
FAR struct rpmsgfs_mountpt_s *fs;
|
||||
|
|
|
@ -1655,7 +1655,8 @@ static int tmpfs_mmap(FAR struct file *filep, FAR struct mm_map_entry_s *map)
|
|||
|
||||
DEBUGASSERT(tfo != NULL);
|
||||
|
||||
if (map && map->offset + map->length <= tfo->tfo_size)
|
||||
if (map->offset >= 0 && map->offset < tfo->tfo_size &&
|
||||
map->length && map->offset + map->length <= tfo->tfo_size)
|
||||
{
|
||||
map->vaddr = tfo->tfo_data + map->offset;
|
||||
ret = OK;
|
||||
|
|
Loading…
Reference in New Issue