From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51925)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1Xz93c-0005Wh-6r
	for qemu-devel@nongnu.org; Thu, 11 Dec 2014 14:05:54 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1Xz93V-0000Bm-W6
	for qemu-devel@nongnu.org; Thu, 11 Dec 2014 14:05:48 -0500
Message-ID: <5489EAEF.1010600@redhat.com>
Date: Thu, 11 Dec 2014 20:05:19 +0100
From: Paolo Bonzini <pbonzini@redhat.com>
MIME-Version: 1.0
References: <1418203056-5365-1-git-send-email-pbonzini@redhat.com>
	<5489DA78.9030003@msgid.tls.msk.ru>
In-Reply-To: <5489DA78.9030003@msgid.tls.msk.ru>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [Qemu-trivial] [PATCH] vt82c686: avoid
	out-of-bounds read
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Michael Tokarev <mjt@tls.msk.ru>, qemu-devel@nongnu.org
Cc: qemu-trivial@nongnu.org, zhang.zhanghailiang@huawei.com, peter.huangpeng@huawei.com



On 11/12/2014 18:55, Michael Tokarev wrote:
>> > superio_ioport_readb can read the 256th element of the array.
> Is there a legitimate reason for it to access byte index 256?

The 256th element is byte index 255. :)

> What is the actual size of superio config memory, 256 or 257?

It's 256 and the array is sized conf[0xff].

> I don't know, but somehow it looks like it should be 256.

That's what the patch does. :)

Paolo