[Qemu-devel] [PATCH] FDC: Fix buffer overflow

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH] FDC: Fix buffer overflow

From:	Hervé Poussineau
Subject:	[Qemu-devel] [PATCH] FDC: Fix buffer overflow
Date:	Tue, 29 Apr 2008 19:15:33 +0200
User-agent:	Thunderbird 2.0.0.12 (Windows/20080213)

Hi,

In floppy controller, programming PIO writes which are more than onesector long leads to a buffer overflow of the fdtrl->fifo[] array.

Attached patch fixes it.

Hervé

Index: hw/fdc.c
===================================================================
--- hw/fdc.c    (revision 4290)
+++ hw/fdc.c    (working copy)
@@ -1770,8 +1770,10 @@
     /* Is it write command time ? */
     if (fdctrl->msr & FD_MSR_NONDMA) {
         /* FIFO data write */
-        fdctrl->fifo[fdctrl->data_pos++] = value;
-        if (fdctrl->data_pos % FD_SECTOR_LEN == (FD_SECTOR_LEN - 1) ||
+        pos = fdctrl->data_pos++;
+        pos %= FD_SECTOR_LEN;
+        fdctrl->fifo[pos] = value;
+        if (pos == FD_SECTOR_LEN - 1 ||
             fdctrl->data_pos == fdctrl->data_len) {
             cur_drv = get_cur_drv(fdctrl);
             if (bdrv_write(cur_drv->bs, fd_sector(cur_drv), fdctrl->fifo, 1) < 
0) {

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] FDC: Fix buffer overflow, Hervé Poussineau <=

Prev by Date: [Qemu-devel] [PATCH] FDC: Fix data transfer len
Next by Date: Re: [Qemu-devel] OpenGL in qemu
Previous by thread: [Qemu-devel] [PATCH] FDC: Fix data transfer len
Next by thread: [Qemu-devel] [PATCH] remove target ifdefs from vl.c
Index(es):
- Date
- Thread