xnu-1504.9.37.tar.gz

[apple/xnu.git] / bsd / hfs / hfs_readwrite.c

diff --git a/bsd/hfs/hfs_readwrite.c b/bsd/hfs/hfs_readwrite.c
index 6dc30afad3270c1f85516de58e350d3a72a36f44..9fcd6a02d59b71fd1975fb22b2271aaba7157fd2 100644 (file)
--- a/bsd/hfs/hfs_readwrite.c
+++ b/bsd/hfs/hfs_readwrite.c
@@ -1947,6 +1947,12 @@ fail_change_next_allocation:
                        user_bootstrap.fbt_length = bootstrapp->fbt_length;
                        user_bootstrap.fbt_buffer = CAST_USER_ADDR_T(bootstrapp->fbt_buffer);
                }
+
+               if ((user_bootstrapp->fbt_offset < 0) || (user_bootstrapp->fbt_offset > 1024) ||
+                               (user_bootstrapp->fbt_length > 1024)) {
+                       return EINVAL;
+               }
+
                if (user_bootstrapp->fbt_offset + user_bootstrapp->fbt_length > 1024) 
                        return EINVAL;
            
@@ -3296,6 +3302,7 @@ hfs_vnop_pageout(struct vnop_pageout_args *ap)
        vm_offset_t     a_pl_offset;
        int             a_flags;
        int is_pageoutv2 = 0;
+       kern_return_t kret;
 
        cp = VTOC(vp);
        fp = VTOF(vp);
@@ -3339,9 +3346,9 @@ hfs_vnop_pageout(struct vnop_pageout_args *ap)
                else {
                        request_flags = UPL_UBC_PAGEOUT | UPL_RET_ONLY_DIRTY;
                }
-               ubc_create_upl(vp, ap->a_f_offset, ap->a_size, &upl, &pl, request_flags); 
+               kret = ubc_create_upl(vp, ap->a_f_offset, ap->a_size, &upl, &pl, request_flags); 
 
-               if (upl == (upl_t) NULL) {
+               if ((kret != KERN_SUCCESS) || (upl == (upl_t) NULL)) {
                        retval = EINVAL;
                        goto pageout_done;
                }