RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-27 04:57:45 +00:00
Code Issues Activity Actions

Kernel: Fix integer overflow in framebuffer resolution handling

Browse source 
This made it possible to map the E1000 MMIO range into userspace and
mess with the registers.

Thanks to @grigoritchy for finding this!

Fixes #2015.
This commit is contained in:
Andreas Kling 2020-04-29 09:35:19 +02:00
parent 18cfb9218a
commit 385dacce05
5 changed files with 23 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Kernel/Devices/MBVGADevice.h
View file

@ -38,7 +38,7 @@ class MBVGADevice final : public BlockDevice {
public:
static MBVGADevice& the();
MBVGADevice(PhysicalAddress addr, int pitch, int width, int height);
MBVGADevice(PhysicalAddress addr, size_t pitch, size_t width, size_t height);
virtual int ioctl(FileDescription&, unsigned request, unsigned arg) override;
virtual KResultOr<Region*> mmap(Process&, FileDescription&, VirtualAddress preferred_vaddr, size_t offset, size_t, int prot, bool shared) override;
@ -55,9 +55,9 @@ private:
size_t framebuffer_size_in_bytes() const { return m_framebuffer_pitch * m_framebuffer_height; }
PhysicalAddress m_framebuffer_address;
int m_framebuffer_pitch { 0 };
int m_framebuffer_width { 0 };
int m_framebuffer_height { 0 };
size_t m_framebuffer_pitch { 0 };
size_t m_framebuffer_width { 0 };
size_t m_framebuffer_height { 0 };
};
}