don't allow mmap beyond the end of the buffer

Submitted by: Philippe Anel <philippe.anel@noos.fr> (partially)
author: cg <cg@FreeBSD.org> 2002-01-23 04:32:18 +0000
committer: cg <cg@FreeBSD.org> 2002-01-23 04:32:18 +0000
commit: b75a033f7588a9c6ef9d7f21c864e9af9714de75 (patch)
tree: 6c8b6fe25bcb05833ec764e8b37902ca9e73bb20
parent: 2009b476286bc1a19db178f189b568d9185e6aee (diff)
download: FreeBSD-src-b75a033f7588a9c6ef9d7f21c864e9af9714de75.zip
FreeBSD-src-b75a033f7588a9c6ef9d7f21c864e9af9714de75.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/sys/dev/sound/pcm/dsp.c b/sys/dev/sound/pcm/dsp.c
index d5a05d1..55147e3 100644
--- a/sys/dev/sound/pcm/dsp.c
+++ b/sys/dev/sound/pcm/dsp.c
@@ -1022,10 +1022,16 @@ dsp_mmap(dev_t i_dev, vm_offset_t offset, int nprot)
 		return -1;
 	}
 
+	if (offset >= sndbuf_getsize(c->bufsoft)) {
+		relchns(i_dev, rdch, wrch, SD_F_PRIO_RD | SD_F_PRIO_WR);
+		splx(s);
+		return -1;
+	}
+
 	if (!(c->flags & CHN_F_MAPPED))
 		c->flags |= CHN_F_MAPPED;
 
-	ret = atop(vtophys(((char *)sndbuf_getbuf(c->bufsoft)) + offset));
+	ret = atop(vtophys(sndbuf_getbufofs(c->bufsoft, offset)));
 	relchns(i_dev, rdch, wrch, SD_F_PRIO_RD | SD_F_PRIO_WR);
 
 	splx(s);
author	cg <cg@FreeBSD.org>	2002-01-23 04:32:18 +0000
committer	cg <cg@FreeBSD.org>	2002-01-23 04:32:18 +0000
commit	b75a033f7588a9c6ef9d7f21c864e9af9714de75 (patch)
tree	6c8b6fe25bcb05833ec764e8b37902ca9e73bb20
parent	2009b476286bc1a19db178f189b568d9185e6aee (diff)
download	FreeBSD-src-b75a033f7588a9c6ef9d7f21c864e9af9714de75.zip FreeBSD-src-b75a033f7588a9c6ef9d7f21c864e9af9714de75.tar.gz