From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:49191) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1R8Ttz-0006H6-49 for qemu-devel@nongnu.org; Tue, 27 Sep 2011 05:24:36 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1R8Ttx-0000TE-Fh for qemu-devel@nongnu.org; Tue, 27 Sep 2011 05:24:35 -0400 Received: from tx2ehsobe002.messaging.microsoft.com ([65.55.88.12]:44724 helo=TX2EHSOBE003.bigfish.com) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1R8Ttx-0000Su-9L for qemu-devel@nongnu.org; Tue, 27 Sep 2011 05:24:33 -0400 Received: from mail103-tx2 (localhost.localdomain [127.0.0.1]) by mail103-tx2-R.bigfish.com (Postfix) with ESMTP id 442243D82B7 for ; Tue, 27 Sep 2011 09:24:31 +0000 (UTC) Received: from TX2EHSMHS031.bigfish.com (unknown [10.9.14.240]) by mail103-tx2.bigfish.com (Postfix) with ESMTP id 2F55E159804C for ; Tue, 27 Sep 2011 09:24:29 +0000 (UTC) From: Liu Yu Date: Tue, 27 Sep 2011 16:17:19 +0800 Message-ID: <1317111439-6478-1-git-send-email-yu.liu@freescale.com> MIME-Version: 1.0 Content-Type: text/plain Subject: [Qemu-devel] [PATCH] ppc/e500_pci: Fix an array overflow issue List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Liu Yu Signed-off-by: Liu Yu --- hw/ppce500_pci.c | 26 ++++++++++++++++---------- 1 files changed, 16 insertions(+), 10 deletions(-) diff --git a/hw/ppce500_pci.c b/hw/ppce500_pci.c index 2db365d..3e24e85 100644 --- a/hw/ppce500_pci.c +++ b/hw/ppce500_pci.c @@ -108,15 +108,18 @@ static uint32_t pci_reg_read4(void *opaque, target_phys_addr_t addr) case PPCE500_PCI_IW3: case PPCE500_PCI_IW2: - case PPCE500_PCI_IW1: + case PPCE500_PCI_IW1: { + int idx = ((addr >> 5) & 0x3) - 1; + switch (addr & 0xC) { - case PCI_PITAR: value = pci->pib[(addr >> 5) & 0x3].pitar; break; - case PCI_PIWBAR: value = pci->pib[(addr >> 5) & 0x3].piwbar; break; - case PCI_PIWBEAR: value = pci->pib[(addr >> 5) & 0x3].piwbear; break; - case PCI_PIWAR: value = pci->pib[(addr >> 5) & 0x3].piwar; break; + case PCI_PITAR: value = pci->pib[idx].pitar; break; + case PCI_PIWBAR: value = pci->pib[idx].piwbar; break; + case PCI_PIWBEAR: value = pci->pib[idx].piwbear; break; + case PCI_PIWAR: value = pci->pib[idx].piwar; break; default: break; }; break; + } case PPCE500_PCI_GASKET_TIMR: value = pci->gasket_time; @@ -164,15 +167,18 @@ static void pci_reg_write4(void *opaque, target_phys_addr_t addr, case PPCE500_PCI_IW3: case PPCE500_PCI_IW2: - case PPCE500_PCI_IW1: + case PPCE500_PCI_IW1: { + int idx = ((addr >> 5) & 0x3) - 1; + switch (addr & 0xC) { - case PCI_PITAR: pci->pib[(addr >> 5) & 0x3].pitar = value; break; - case PCI_PIWBAR: pci->pib[(addr >> 5) & 0x3].piwbar = value; break; - case PCI_PIWBEAR: pci->pib[(addr >> 5) & 0x3].piwbear = value; break; - case PCI_PIWAR: pci->pib[(addr >> 5) & 0x3].piwar = value; break; + case PCI_PITAR: pci->pib[idx].pitar = value; break; + case PCI_PIWBAR: pci->pib[idx].piwbar = value; break; + case PCI_PIWBEAR: pci->pib[idx].piwbear = value; break; + case PCI_PIWAR: pci->pib[idx].piwar = value; break; default: break; }; break; + } case PPCE500_PCI_GASKET_TIMR: pci->gasket_time = value; -- 1.6.4