qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
* [Qemu-devel] [PATCH] audio: intel-hda: check stream entry count during transfer
@ 2016-10-20  7:40 P J P
  2016-10-20  9:37 ` Stefan Hajnoczi
  2016-10-26 12:48 ` Gerd Hoffmann
  0 siblings, 2 replies; 3+ messages in thread
From: P J P @ 2016-10-20  7:40 UTC (permalink / raw)
  To: Qemu Developers; +Cc: Gerd Hoffmann, Huawei PSIRT, Prasad J Pandit

From: Prasad J Pandit <pjp@fedoraproject.org>

Intel HDA emulator uses stream of buffers during DMA data
transfers. Each entry has buffer length and buffer pointer
position, which are used to derive bytes to 'copy'. If this
length and buffer pointer were to be same, 'copy' could be
set to zero(0), leading to an infinite loop. Add check to
avoid it.

Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/audio/intel-hda.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
index cd95340..537face 100644
--- a/hw/audio/intel-hda.c
+++ b/hw/audio/intel-hda.c
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
     }
 
     left = len;
-    while (left > 0) {
+    s = st->bentries;
+    while (left > 0 && s-- > 0) {
         copy = left;
         if (copy > st->bsize - st->lpib)
             copy = st->bsize - st->lpib;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-10-26 12:48 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-20  7:40 [Qemu-devel] [PATCH] audio: intel-hda: check stream entry count during transfer P J P
2016-10-20  9:37 ` Stefan Hajnoczi
2016-10-26 12:48 ` Gerd Hoffmann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).