1 files changed, 18 insertions, 9 deletions

diff --git a/vm/vm_user.c b/vm/vm_user.c
index 42ee5e08..8da8dea1 100644
--- a/vm/vm_user.c
+++ b/vm/vm_user.c
@@ -1,32 +1,32 @@
-/* 
+/*
  * Mach Operating System
  * Copyright (c) 1991,1990,1989,1988 Carnegie Mellon University
  * All Rights Reserved.
- * 
+ *
  * Permission to use, copy, modify and distribute this software and its
  * documentation is hereby granted, provided that both the copyright
  * notice and this permission notice appear in all copies of the
  * software, derivative works or modified versions, and any portions
  * thereof, and that both notices appear in supporting documentation.
- * 
+ *
  * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS"
  * CONDITION.  CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR
  * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.
- * 
+ *
  * Carnegie Mellon requests users of this software to return to
- * 
+ *
  *  Software Distribution Coordinator  or  Software.Distribution@CS.CMU.EDU
  *  School of Computer Science
  *  Carnegie Mellon University
  *  Pittsburgh PA 15213-3890
- * 
+ *
  * any improvements or extensions that they make and grant Carnegie Mellon
  * the rights to redistribute these changes.
  */
 /*
  *	File:	vm/vm_user.c
  *	Author:	Avadis Tevanian, Jr., Michael Wayne Young
- * 
+ *
  *	User-exported virtual memory functions.
  */
 
@@ -158,7 +158,7 @@ kern_return_t vm_protect(
 	boolean_t		set_maximum,
 	vm_prot_t		new_protection)
 {
-	if ((map == VM_MAP_NULL) || 
+	if ((map == VM_MAP_NULL) ||
 		(new_protection & ~(VM_PROT_ALL|VM_PROT_NOTIFY)))
 		return(KERN_INVALID_ARGUMENT);
 
@@ -350,8 +350,11 @@ kern_return_t vm_map(
 	  {
 	    ipc_port_t real_memobj;
 	    vm_prot_t prot;
+	    vm_offset_t start;
+	    vm_offset_t len;
+
 	    result = memory_object_proxy_lookup (memory_object, &real_memobj,
-						 &prot);
+						 &prot, &start, &len);
 	    if (result != KERN_SUCCESS)
 	      return result;
 
@@ -368,6 +371,12 @@ kern_return_t vm_map(
                  return KERN_PROTECTION_FAILURE;
              }
 
+	    /* Reduce the allowed range */
+	    if ((start + offset + size) > (start + len))
+	      return KERN_INVALID_ARGUMENT;
+
+	    offset += start;
+
 	    if ((object = vm_object_enter(real_memobj, size, FALSE))
 		== VM_OBJECT_NULL)
 	      return KERN_INVALID_ARGUMENT;