From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1JqtQc-0006VY-Eg
	for qemu-devel@nongnu.org; Tue, 29 Apr 2008 13:15:42 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1JqtQa-0006UO-MC
	for qemu-devel@nongnu.org; Tue, 29 Apr 2008 13:15:41 -0400
Received: from [199.232.76.173] (port=37064 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1JqtQa-0006UE-7X
	for qemu-devel@nongnu.org; Tue, 29 Apr 2008 13:15:40 -0400
Received: from smtp3-g19.free.fr ([212.27.42.29])
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <hpoussin@reactos.org>) id 1JqtQZ-0002WZ-Mm
	for qemu-devel@nongnu.org; Tue, 29 Apr 2008 13:15:40 -0400
Received: from smtp3-g19.free.fr (localhost.localdomain [127.0.0.1])
	by smtp3-g19.free.fr (Postfix) with ESMTP id 9B2A817B5F4
	for <qemu-devel@nongnu.org>; Tue, 29 Apr 2008 19:15:36 +0200 (CEST)
Received: from [127.0.0.1] (rob92-10-88-171-126-33.fbx.proxad.net
	[88.171.126.33])
	by smtp3-g19.free.fr (Postfix) with ESMTP id DA69E17B5C7
	for <qemu-devel@nongnu.org>; Tue, 29 Apr 2008 19:15:35 +0200 (CEST)
Message-ID: <481757B5.8070708@reactos.org>
Date: Tue, 29 Apr 2008 19:15:33 +0200
From: =?ISO-8859-1?Q?Herv=E9_Poussineau?= <hpoussin@reactos.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------060200070300080308090602"
Subject: [Qemu-devel] [PATCH] FDC: Fix buffer overflow
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

This is a multi-part message in MIME format.
--------------060200070300080308090602
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Hi,

In floppy controller, programming PIO writes which are more than one=20
sector long leads to a buffer overflow of the fdtrl->fifo[] array.
Attached patch fixes it.

Herv=E9

--------------060200070300080308090602
Content-Type: text/plain;
 name="fdc_pio_write.diff"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
 filename="fdc_pio_write.diff"

SW5kZXg6IGh3L2ZkYy5jDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQotLS0gaHcvZmRjLmMJKHJldmlzaW9u
IDQyOTApDQorKysgaHcvZmRjLmMJKHdvcmtpbmcgY29weSkNCkBAIC0xNzcwLDggKzE3NzAs
MTAgQEANCiAgICAgLyogSXMgaXQgd3JpdGUgY29tbWFuZCB0aW1lID8gKi8KICAgICBpZiAo
ZmRjdHJsLT5tc3IgJiBGRF9NU1JfTk9ORE1BKSB7CiAgICAgICAgIC8qIEZJRk8gZGF0YSB3
cml0ZSAqLwotICAgICAgICBmZGN0cmwtPmZpZm9bZmRjdHJsLT5kYXRhX3BvcysrXSA9IHZh
bHVlOwotICAgICAgICBpZiAoZmRjdHJsLT5kYXRhX3BvcyAlIEZEX1NFQ1RPUl9MRU4gPT0g
KEZEX1NFQ1RPUl9MRU4gLSAxKSB8fAorICAgICAgICBwb3MgPSBmZGN0cmwtPmRhdGFfcG9z
Kys7DQorICAgICAgICBwb3MgJT0gRkRfU0VDVE9SX0xFTjsNCisgICAgICAgIGZkY3RybC0+
Zmlmb1twb3NdID0gdmFsdWU7DQorICAgICAgICBpZiAocG9zID09IEZEX1NFQ1RPUl9MRU4g
LSAxIHx8DQogICAgICAgICAgICAgZmRjdHJsLT5kYXRhX3BvcyA9PSBmZGN0cmwtPmRhdGFf
bGVuKSB7CiAgICAgICAgICAgICBjdXJfZHJ2ID0gZ2V0X2N1cl9kcnYoZmRjdHJsKTsKICAg
ICAgICAgICAgIGlmIChiZHJ2X3dyaXRlKGN1cl9kcnYtPmJzLCBmZF9zZWN0b3IoY3VyX2Ry
diksIGZkY3RybC0+ZmlmbywgMSkgPCAwKSB7Cg==
--------------060200070300080308090602--