Hi,
i noticed the amount of data read by pci_device_linux_sysfs_read_rom is
determined by the file size from sysfs, while the rom_size reported to
the drivers is calculated using a different algorithm. This leads to
invalid memory writes if the file size is greater than the calculated
size. Possible patch attached.
Regards,
Pierre
commit daa4187bddda5d22fca7d91eef9790424d738fa6
Author: Pierre Willenbrock <[EMAIL PROTECTED]>
Date: Sat Dec 6 01:25:33 2008 +0100
Don't read more data than advertised.
diff --git a/src/linux_sysfs.c b/src/linux_sysfs.c
index 8c3cf67..46240da 100644
--- a/src/linux_sysfs.c
+++ b/src/linux_sysfs.c
@@ -337,6 +337,8 @@ pci_device_linux_sysfs_read_rom( struct pci_device * dev, void * buffer )
rom_size = st.st_size;
if ( rom_size == 0 )
rom_size = 0x10000;
+ if (rom_size > dev->rom_size) /* don't read more data than advertised. */
+ rom_size = dev->rom_size;
/* This is a quirky thing on Linux. Even though the ROM and the file
* for the ROM in sysfs are read-only, the string "1" must be written to
_______________________________________________
xorg mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/xorg
