Author: jgardou Date: Tue Dec 21 21:55:29 2010 New Revision: 50085 URL: http://svn.reactos.org/svn/reactos?rev=50085&view=rev Log: [VGA_NEW] - avoid buffer overrun, CID 11049 Brought to light by vicmarcal Modified: trunk/reactos/drivers/video/miniport/vga_new/vbe.c trunk/reactos/drivers/video/miniport/vga_new/vbe.h trunk/reactos/drivers/video/miniport/vga_new/vbemodes.c trunk/reactos/drivers/video/miniport/vga_new/vga.h Modified: trunk/reactos/drivers/video/miniport/vga_new/vbe.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/video/miniport/vga… ============================================================================== --- trunk/reactos/drivers/video/miniport/vga_new/vbe.c [iso-8859-1] (original) +++ trunk/reactos/drivers/video/miniport/vga_new/vbe.c [iso-8859-1] Tue Dec 21 21:55:29 2010 @@ -42,7 +42,7 @@ { ULONG i; CHAR Version[21]; - + /* If the broken VESA bios found, turn VESA off */ VideoPortDebugPrint(0, "Vendor: %s Product: %s Revision: %s (%lx)\n", Vendor, Product, Revision, OemRevision); for (i = 0; i < (sizeof(BrokenVesaBiosList) / sizeof(PCHAR)); i++) @@ -52,7 +52,7 @@ /* For Brookdale-G (Intel), special hack used */ g_bIntelBrookdaleBIOS = !strncmp(Product, IntelBrookdale, sizeof(IntelBrookdale)); - + /* For NVIDIA make sure */ if (!(strncmp(Vendor, Nv11Vendor, sizeof(Nv11Vendor))) && !(strncmp(Product, Nv11Board, sizeof(Nv11Board))) && @@ -64,10 +64,10 @@ 0xC000, 345, Version, - sizeof(Version))) return FALSE; + sizeof(Version))) return FALSE; if (!strncmp(Version, "Version 3.11.01.24N16", sizeof(Version))) return FALSE; } - + /* VESA ok */ //VideoPortDebugPrint(0, "Vesa ok\n"); return TRUE; @@ -85,13 +85,13 @@ CHAR ProductName[80]; CHAR VendorName[80]; VP_STATUS Status; - + /* Set default */ VesaBiosOk = FALSE; Context = VgaExtension->Int10Interface.Context; - + /* Check magic and version */ - if (strncmp(VbeInfo->Info.Signature, "VESA", 4)) return VesaBiosOk; + if (VbeInfo->Info.Signature == VESA_MAGIC) return VesaBiosOk; if (VbeInfo->Info.Version < 0x102) return VesaBiosOk; /* Read strings */ @@ -125,13 +125,13 @@ ProductName[sizeof(OemString) - 1] = ANSI_NULL; ProductRevision[sizeof(OemString) - 1] = ANSI_NULL; OemString[sizeof(OemString) - 1] = ANSI_NULL; - + /* Check for known bad BIOS */ VesaBiosOk = IsVesaBiosOk(&VgaExtension->Int10Interface, VbeInfo->Info.OemSoftwareRevision, VendorName, ProductName, - ProductRevision); + ProductRevision); VgaExtension->VesaBiosOk = VesaBiosOk; return VesaBiosOk; } @@ -151,7 +151,7 @@ USHORT i; Entries = ClutBuffer->NumEntries; - + /* Allocate INT10 context/buffer */ VesaClut = VideoPortAllocatePool(VgaExtension, 1, sizeof(ULONG) * Entries, 0x20616756u); if (!VesaClut) return ERROR_INVALID_PARAMETER; @@ -178,7 +178,7 @@ Entries * sizeof(ULONG)); if (Status != NO_ERROR) return ERROR_INVALID_PARAMETER; - /* Write new palette */ + /* Write new palette */ BiosArguments.Ebx = 0; BiosArguments.Ecx = Entries; BiosArguments.Edx = ClutBuffer->FirstEntry; Modified: trunk/reactos/drivers/video/miniport/vga_new/vbe.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/video/miniport/vga… ============================================================================== --- trunk/reactos/drivers/video/miniport/vga_new/vbe.h [iso-8859-1] (original) +++ trunk/reactos/drivers/video/miniport/vga_new/vbe.h [iso-8859-1] Tue Dec 21 21:55:29 2010 @@ -94,7 +94,7 @@ typedef struct _VBE_CONTROLLER_INFO { - CHAR Signature[4]; + ULONG Signature; USHORT Version; ULONG OemStringPtr; LONG Capabilities; @@ -214,4 +214,7 @@ extern BOOLEAN g_bIntelBrookdaleBIOS; +/* VBE2 magic number */ +#define VBE2_MAGIC ('V' + ('B' << 8) + ('E' << 16) + ('2' << 24)) + /* EOF */ Modified: trunk/reactos/drivers/video/miniport/vga_new/vbemodes.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/video/miniport/vga… ============================================================================== --- trunk/reactos/drivers/video/miniport/vga_new/vbemodes.c [iso-8859-1] (original) +++ trunk/reactos/drivers/video/miniport/vga_new/vbemodes.c [iso-8859-1] Tue Dec 21 21:55:29 2010 @@ -26,7 +26,7 @@ RaiseToPower2(IN USHORT Value) { ULONG SquaredResult = Value; - if ((Value - 1) & Value) for (SquaredResult = 1; (SquaredResult < Value) && (SquaredResult); SquaredResult *= 2); + if ((Value - 1) & Value) for (SquaredResult = 1; (SquaredResult < Value) && (SquaredResult); SquaredResult *= 2); return SquaredResult; } @@ -34,7 +34,7 @@ NTAPI VbeGetVideoMemoryBaseAddress(IN PHW_DEVICE_EXTENSION VgaExtension, IN PVIDEOMODE VgaMode) -{ +{ ULONG Length = 4 * 1024; USHORT TrampolineMemorySegment, TrampolineMemoryOffset; PVOID Context; @@ -46,7 +46,7 @@ /* Need linear and INT10 interface */ if (!(VgaMode->fbType & VIDEO_MODE_BANKED)) return 0; if (VgaExtension->Int10Interface.Size) return 0; - + /* Allocate scratch area and context */ VbeModeInfo = VideoPortAllocatePool(VgaExtension, 1, sizeof(VBE_MODE_INFO), ' agV'); if (!VbeModeInfo) return 0; @@ -71,7 +71,7 @@ VbeModeInfo, sizeof(VBE_MODE_INFO)); if (Status != NO_ERROR) return 0; - + /* Return phys address and cleanup */ BaseAddress = VbeModeInfo->PhysBasePtr; VgaExtension->Int10Interface.Int10FreeBuffer(Context, @@ -91,8 +91,8 @@ VIDEO_X86_BIOS_ARGUMENTS BiosArguments; ULONG ModeIndex; ULONG BaseAddress; - - VideoPortZeroMemory(&BiosArguments, sizeof(BiosArguments)); + + VideoPortZeroMemory(&BiosArguments, sizeof(BiosArguments)); ModeIndex = VgaMode->Mode; BiosArguments.Eax = ModeIndex & 0x0000FFFF; BiosArguments.Ebx = ModeIndex >> 16; @@ -100,12 +100,12 @@ Status = VideoPortInt10(VgaDeviceExtension, &BiosArguments); if (Status != NO_ERROR) return Status; - /* Check for VESA mode */ + /* Check for VESA mode */ if (ModeIndex >> 16) { /* Mode set fail */ if (BiosArguments.Eax != VBE_SUCCESS) return ERROR_INVALID_PARAMETER; - + /* Check current mode is desired mode */ BiosArguments.Eax = VBE_GET_CURRENT_VBE_MODE; Status = VideoPortInt10(VgaDeviceExtension, &BiosArguments); @@ -132,7 +132,7 @@ } } } - + /* Get VRAM address to update changes */ BaseAddress = VbeGetVideoMemoryBaseAddress(VgaDeviceExtension, VgaMode); if ((BaseAddress) && (VgaMode->PhysBase != BaseAddress)) @@ -140,8 +140,8 @@ *PhysPtrChange = TRUE; VgaMode->PhysBase = BaseAddress; } - - return NO_ERROR; + + return NO_ERROR; } VOID @@ -179,7 +179,7 @@ VgaExtension->Int10Interface.Version = 0; return; } - + /* Query INT10 interface */ VgaExtension->Int10Interface.Version = VIDEO_PORT_INT10_INTERFACE_VERSION_1; VgaExtension->Int10Interface.Size = sizeof(VIDEO_PORT_INT10_INTERFACE); @@ -190,12 +190,12 @@ VgaExtension->Int10Interface.Size = 0; VgaExtension->Int10Interface.Version = 0; } - + /* Add ref */ //VideoPortDebugPrint(0, "have int10 iface\n"); VgaExtension->Int10Interface.InterfaceReference(VgaExtension->Int10Interface.Context); Context = VgaExtension->Int10Interface.Context; - + /* Allocate scratch area and context */ Status = VgaExtension->Int10Interface.Int10AllocateBuffer(Context, &TrampolineMemorySegment, @@ -209,7 +209,7 @@ /* Init VBE data and write to card buffer */ //VideoPortDebugPrint(0, "have int10 data\n"); VbeInfo->ModeArray[128] = 0xFFFF; - strcpy(VbeInfo->Info.Signature, "VBE2"); + VbeInfo->Info.Signature = VBE2_MAGIC; Status = VgaExtension->Int10Interface.Int10WriteMemory(Context, TrampolineMemorySegment, TrampolineMemoryOffset, @@ -237,7 +237,7 @@ VbeVersion = VbeInfo->Info.Version; VideoPortDebugPrint(0, "vbe version %lx memory %lx\n", VbeVersion, TotalMemory); if (!ValidateVbeInfo(VgaExtension, VbeInfo)) return; - + /* Read modes */ //VideoPortDebugPrint(0, "read modes from %p\n", VbeInfo->Info.VideoModePtr); Status = VgaExtension->Int10Interface.Int10ReadMemory(Context, @@ -259,11 +259,11 @@ ModeResult = *++ThisMode; NewModes++; } - + /* Remove the built-in mode if not supported by card and check max modes */ if (!FourBppModeFound) --NumVideoModes; if ((NewModes >= 128) && (NumVideoModes > 8)) goto Cleanup; - + /* Switch to new SVGA mode list, copy VGA modes */ VgaModeList = VideoPortAllocatePool(VgaExtension, 1, (NewModes + NumVideoModes) * sizeof(VIDEOMODE), ' agV'); if (!VgaModeList) goto Cleanup; @@ -275,7 +275,7 @@ VideoPortDebugPrint(0, "Intel Brookdale-G Video BIOS Not Support!\n"); while (TRUE); } - + /* Scan SVGA modes */ // VideoPortDebugPrint(0, "Static modes: %d\n", NumVideoModes); VgaMode = &VgaModeList[NumVideoModes]; @@ -328,7 +328,7 @@ if (VbeModeInfo->ModeAttributes & VBE_MODEATTR_COLOR) VgaMode->fbType |= VIDEO_MODE_COLOR; if (VbeModeInfo->ModeAttributes & VBE_MODEATTR_GRAPHICS) VgaMode->fbType |= VIDEO_MODE_GRAPHICS; if (VbeModeInfo->ModeAttributes & VBE_MODEATTR_NON_VGA) VgaMode->NonVgaMode = TRUE; - + /* If no char data, say 80x25 */ VgaMode->col = VbeModeInfo->XCharSize ? VbeModeInfo->XResolution / VbeModeInfo->XCharSize : 80; VgaMode->row = VbeModeInfo->YCharSize ? VbeModeInfo->YResolution / VbeModeInfo->YCharSize : 25; @@ -338,8 +338,8 @@ VgaMode->bitsPerPlane = VbeModeInfo->BitsPerPixel / VbeModeInfo->NumberOfPlanes; if ((VgaMode->bitsPerPlane == 16) && (VbeModeInfo->GreenMaskSize == 5)) VgaMode->bitsPerPlane = 15; //VideoPortDebugPrint(0, "BPP: %d\n", VgaMode->BitsPerPlane); - - /* Do linear or banked frame buffers */ + + /* Do linear or banked frame buffers */ VgaMode->FrameBufferBase = 0; if (!LinearAddressing) { @@ -347,7 +347,7 @@ ScreenStride = RaiseToPower2(VbeModeInfo->BytesPerScanLine); VgaMode->wbytes = ScreenStride; //VideoPortDebugPrint(0, "ScanLines: %lx Stride: %lx\n", VbeModeInfo->BytesPerScanLine, VgaMode->Stride); - + /* Size of frame buffer is Height X ScanLine, align to bank/page size */ ScreenSize = VgaMode->hres * ScreenStride; //VideoPortDebugPrint(0, "Size: %lx\n", ScreenSize); @@ -355,7 +355,7 @@ //VideoPortDebugPrint(0, "Size: %lx\n", ScreenSize); if (Size > TotalMemory) Size = (Size + ((4 * 1024) - 1)) & ((4 * 1024) - 1); //VideoPortDebugPrint(0, "Size: %lx\n", ScreenSize); - + /* Banked VGA at 0xA0000 (64K) */ //VideoPortDebugPrint(0, "Final size: %lx\n", Size); VgaMode->fbType |= VIDEO_MODE_BANKED; @@ -374,7 +374,7 @@ if (!ScreenStride) ScreenStride = VbeModeInfo->BytesPerScanLine; VgaMode->wbytes = ScreenStride; //VideoPortDebugPrint(0, "ScanLines: %lx Stride: %lx\n", VbeModeInfo->BytesPerScanLine, VgaMode->Stride); - + /* Size of frame buffer is Height X ScanLine, align to page size */ ScreenSize = VgaMode->hres * LOWORD(VgaMode->wbytes); //VideoPortDebugPrint(0, "Size: %lx\n", ScreenSize); @@ -382,7 +382,7 @@ //VideoPortDebugPrint(0, "Size: %lx\n", ScreenSize); if (Size > TotalMemory) Size = (Size + ((4 * 1024) - 1)) & ((4 * 1024) - 1); //VideoPortDebugPrint(0, "Size: %lx\n", ScreenSize); - + /* Linear VGA must read settings from VBE */ VgaMode->fbType |= VIDEO_MODE_LINEAR; VgaMode->sbytes = Size; @@ -391,14 +391,14 @@ VgaMode->NoBankSwitch = FALSE; VgaMode->PhysBase = VbeModeInfo->PhysBasePtr; VgaMode->LogicalWidth = VgaMode->hres; - + /* Make VBE_SET_VBE_MODE command use Linear Framebuffer Select */ VgaMode->Mode |= (VBE_MODE_LINEAR_FRAMEBUFFER << 16); } - + /* Override bank switch if not support by card */ if (VbeModeInfo->ModeAttributes & VBE_MODEATTR_NO_BANK_SWITCH) VgaMode->NoBankSwitch = TRUE; - + /* Next */ if (ScreenSize <= TotalMemory) { Modified: trunk/reactos/drivers/video/miniport/vga_new/vga.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/video/miniport/vga… ============================================================================== --- trunk/reactos/drivers/video/miniport/vga_new/vga.h [iso-8859-1] (original) +++ trunk/reactos/drivers/video/miniport/vga_new/vga.h [iso-8859-1] Tue Dec 21 21:55:29 2010 @@ -266,7 +266,7 @@ // eVb: 3.3 [VBE] PUSHORT CmdStream; // pointer to array of register-setting commands to // set up mode -// eVb: 3.4 [VBE] - Add fields to track linear addresses/sizes and flags +// eVb: 3.4 [VBE] - Add fields to track linear addresses/sizes and flags ULONG PhysBase; ULONG FrameBufferBase; ULONG FrameBufferSize; @@ -407,7 +407,7 @@ UCHAR CursorEnable; // whether cursor is enabled or not UCHAR CursorTopScanLine; // Cursor Start register setting (top scan) UCHAR CursorBottomScanLine; // Cursor End register setting (bottom scan) -// eVb: 3.5 [VBE] - Add fields for VBE support and XP+ INT10 interface +// eVb: 3.5 [VBE] - Add fields for VBE support and XP+ INT10 interface VIDEO_PORT_INT10_INTERFACE Int10Interface; BOOLEAN VesaBiosOk; // eVb: 3.5 [END] @@ -438,9 +438,12 @@ extern VIDEOMODE ModesVGA[]; extern PVIDEOMODE VgaModeList; -// eVb: 3.5 [VGA] - Add ATI/Mach64 Access Range +// eVb: 3.5 [VGA] - Add ATI/Mach64 Access Range #define NUM_VGA_ACCESS_RANGES 5 // eVb: 3.5 [END] extern VIDEO_ACCESS_RANGE VgaAccessRange[]; +/* VESA Bios Magic number */ +#define VESA_MAGIC ('V' + ('E' << 8) + ('S' << 16) + ('A' << 24)) + #include "vbe.h"