* [Qemu-devel] [PATCH] FDC: Fix buffer overflow
@ 2008-04-29 17:15 Hervé Poussineau
0 siblings, 0 replies; only message in thread
From: Hervé Poussineau @ 2008-04-29 17:15 UTC (permalink / raw)
To: qemu-devel
[-- Attachment #1: Type: text/plain, Size: 181 bytes --]
Hi,
In floppy controller, programming PIO writes which are more than one
sector long leads to a buffer overflow of the fdtrl->fifo[] array.
Attached patch fixes it.
Hervé
[-- Attachment #2: fdc_pio_write.diff --]
[-- Type: text/plain, Size: 730 bytes --]
Index: hw/fdc.c
===================================================================
--- hw/fdc.c (revision 4290)
+++ hw/fdc.c (working copy)
@@ -1770,8 +1770,10 @@
/* Is it write command time ? */
if (fdctrl->msr & FD_MSR_NONDMA) {
/* FIFO data write */
- fdctrl->fifo[fdctrl->data_pos++] = value;
- if (fdctrl->data_pos % FD_SECTOR_LEN == (FD_SECTOR_LEN - 1) ||
+ pos = fdctrl->data_pos++;
+ pos %= FD_SECTOR_LEN;
+ fdctrl->fifo[pos] = value;
+ if (pos == FD_SECTOR_LEN - 1 ||
fdctrl->data_pos == fdctrl->data_len) {
cur_drv = get_cur_drv(fdctrl);
if (bdrv_write(cur_drv->bs, fd_sector(cur_drv), fdctrl->fifo, 1) < 0) {
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2008-04-29 17:15 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-04-29 17:15 [Qemu-devel] [PATCH] FDC: Fix buffer overflow Hervé Poussineau
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).