Permalink
Browse files

integer overflow for two range checks

fix from C Turt, ok miod
  • Loading branch information...
deraadt
deraadt committed Jun 11, 2017
1 parent fe4784a commit 921381e4b09cfac8fa39de5748a946944b3f1e63
Showing with 3 additions and 3 deletions.
  1. +3 −3 sys/dev/ic/sti.c
View
@@ -1,4 +1,4 @@
/* $OpenBSD: sti.c,v 1.77 2015/09/09 18:23:39 deraadt Exp $ */
/* $OpenBSD: sti.c,v 1.78 2017/06/11 02:06:36 deraadt Exp $ */
/*
* Copyright (c) 2000-2003 Michael Shalayeff
@@ -1130,7 +1130,7 @@ sti_ioctl(void *v, u_long cmd, caddr_t data, int flag, struct proc *p)
cmapp = (struct wsdisplay_cmap *)data;
idx = cmapp->index;
count = cmapp->count;
if (idx >= STI_NCMAP || idx + count > STI_NCMAP)
if (idx >= STI_NCMAP || count > STI_NCMAP - idx)
return EINVAL;
if ((ret = copyout(&scr->scr_rcmap[idx], cmapp->red, count)))
break;
@@ -1146,7 +1146,7 @@ sti_ioctl(void *v, u_long cmd, caddr_t data, int flag, struct proc *p)
cmapp = (struct wsdisplay_cmap *)data;
idx = cmapp->index;
count = cmapp->count;
if (idx >= STI_NCMAP || idx + count > STI_NCMAP)
if (idx >= STI_NCMAP || count > STI_NCMAP - idx)
return EINVAL;
if ((ret = copyin(cmapp->red, &scr->scr_rcmap[idx], count)))
break;

0 comments on commit 921381e

Please sign in to comment.