From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:37770)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1RLZp3-0006op-4m
	for qemu-devel@nongnu.org; Wed, 02 Nov 2011 08:21:38 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1RLZp1-0004Jh-Gg
	for qemu-devel@nongnu.org; Wed, 02 Nov 2011 08:21:37 -0400
Received: from mx1.redhat.com ([209.132.183.28]:1614)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1RLZp1-0004JN-6s
	for qemu-devel@nongnu.org; Wed, 02 Nov 2011 08:21:35 -0400
Message-ID: <4EB13689.1050902@redhat.com>
Date: Wed, 02 Nov 2011 13:24:41 +0100
From: Kevin Wolf <kwolf@redhat.com>
MIME-Version: 1.0
References: <1320234974-15318-1-git-send-email-kraxel@redhat.com>
	<4EB13516.1060801@suse.de>
In-Reply-To: <4EB13516.1060801@suse.de>
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] [PATCH] intel-hda: fix stream search
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: =?ISO-8859-15?Q?Andreas_F=E4rber?= <afaerber@suse.de>
Cc: marcandre.lureau@gmail.com, Gerd Hoffmann <kraxel@redhat.com>, qemu-devel@nongnu.org

Am 02.11.2011 13:18, schrieb Andreas F=E4rber:
> Am 02.11.2011 12:56, schrieb Gerd Hoffmann:
>> commit ba43d28916c4f51c19bd7366089155ce81bee058 introduces a bug:
>> The stream-not-found case doesn't error out any more, instead the
>> code silently uses the first stream.  Fix it.
>>
>> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
>> ---
>>  hw/intel-hda.c |    2 +-
>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/hw/intel-hda.c b/hw/intel-hda.c
>> index 675b659..b7ec36d 100644
>> --- a/hw/intel-hda.c
>> +++ b/hw/intel-hda.c
>> @@ -401,7 +401,7 @@ static bool intel_hda_xfer(HDACodecDevice *dev, ui=
nt32_t stnr, bool output,
>>              break;
>>          }
>>      }
>> -    if (st =3D=3D NULL) {
>> +    if (s =3D=3D 4) {
>>          return false;
>>      }
>>      if (st->bpl =3D=3D NULL) {
>=20
> The commit message doesn't say it clearly: Is st =3D=3D NULL impossible=
?
> If not, this introduces a potential NULL pointer dereference at st->bpl.

Yes, it's impossible. This is the full context:

    st =3D output ? d->st + 4 : d->st;
    for (s =3D 0; s < 4; s++) {
        if (stnr =3D=3D ((st[s].ctl >> 20) & 0x0f)) {
            st =3D st + s;
            break;
        }
    }

d->st is an array: IntelHDAStream st[8];

Kevin