From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1KF3RU-0005Pi-0m
	for qemu-devel@nongnu.org; Sat, 05 Jul 2008 04:48:28 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1KF3RS-0005PM-9D
	for qemu-devel@nongnu.org; Sat, 05 Jul 2008 04:48:27 -0400
Received: from [199.232.76.173] (port=46218 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1KF3RS-0005PJ-5U
	for qemu-devel@nongnu.org; Sat, 05 Jul 2008 04:48:26 -0400
Received: from gv-out-0910.google.com ([216.239.58.187]:28188)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <makovick@gmail.com>) id 1KF3RS-0002a2-2W
	for qemu-devel@nongnu.org; Sat, 05 Jul 2008 04:48:26 -0400
Received: by gv-out-0910.google.com with SMTP id n8so227718gve.36
	for <qemu-devel@nongnu.org>; Sat, 05 Jul 2008 01:48:24 -0700 (PDT)
Date: Sat, 5 Jul 2008 10:48:22 +0200
From: Jindrich Makovicka <makovick@gmail.com>
Message-ID: <20080705104822.377b403d@holly>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: [Qemu-devel] array overflow in hw/stellaris.c and hw/omap_dss.c
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

Hi,

there are some under-dimensioned arrays in $subj.

Index: stellaris.c
===================================================================
--- stellaris.c (revision 4846)
+++ stellaris.c (working copy)
@@ -1308,8 +1308,8 @@
     static const int gpio_irq[7] = {0, 1, 2, 3, 4, 30, 31};
 
     qemu_irq *pic;
-    qemu_irq *gpio_in[5];
-    qemu_irq *gpio_out[5];
+    qemu_irq *gpio_in[7];
+    qemu_irq *gpio_out[7];
     qemu_irq adc;
     int sram_size;
     int flash_size;
Index: omap_dss.c
===================================================================
--- omap_dss.c  (revision 4846)
+++ omap_dss.c  (working copy)
@@ -53,7 +53,7 @@
         uint32_t control;
         uint32_t config;
         uint32_t capable;
-        uint32_t timing[3];
+        uint32_t timing[4];
         int line;
         uint32_t bg[2];
         uint32_t trans[2];
@@ -148,6 +148,7 @@
     s->dispc.timing[0] = 0;
     s->dispc.timing[1] = 0;
     s->dispc.timing[2] = 0;
+    s->dispc.timing[3] = 0;
     s->dispc.line = 0;
     s->dispc.bg[0] = 0;
     s->dispc.bg[1] = 0;

Regards,
-- 
Jindrich Makovicka