From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1FRvNS-0004aF-NY
	for qemu-devel@nongnu.org; Fri, 07 Apr 2006 14:08:10 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1FRvNR-0004Zr-Ez
	for qemu-devel@nongnu.org; Fri, 07 Apr 2006 14:08:10 -0400
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1FRvNR-0004Zo-73
	for qemu-devel@nongnu.org; Fri, 07 Apr 2006 14:08:09 -0400
Received: from [64.233.162.204] (helo=zproxy.gmail.com)
	by monty-python.gnu.org with esmtp (Exim 4.52) id 1FRvRR-0003SK-Mu
	for qemu-devel@nongnu.org; Fri, 07 Apr 2006 14:12:18 -0400
Received: by zproxy.gmail.com with SMTP id s1so440138nze
	for <qemu-devel@nongnu.org>; Fri, 07 Apr 2006 11:08:07 -0700 (PDT)
Message-ID: <6fe044190604071108y38daeb00ve280749123ec329a@mail.gmail.com>
Date: Fri, 7 Apr 2006 11:08:03 -0700
From: "Kenneth Duda" <kduda@arastra.com>
Sender: ken.duda@gmail.com
In-Reply-To: <6fe044190604060153i6b43333dlec41c663f2229cd3@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_Part_24971_23008729.1144433283254"
References: <6fe044190604060146i4377f13eub00639e764074f2e@mail.gmail.com>
	<6fe044190604060153i6b43333dlec41c663f2229cd3@mail.gmail.com>
Subject: [Qemu-devel] Patch for minor qemu heap corruption bug when the
	console is zero width
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

------=_Part_24971_23008729.1144433283254
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Hi everyone, here is another patch for a much less significant bug. If
your "vc" console width is 0, qemu corrupts the heap (because it
writes one character into a screen buffer that's been malloc'ed as
size 0).  I don't know if this bug ever causes problems in practice
--- I picked it up using mcheck() when debugging heap corruption due
to various slirp bugs.  Anyway, this trivial patch fixes the trivial
bug.  Feedback on what I can do to get patches like this applied most
appreciated!

Thanks,

   -Ken

------=_Part_24971_23008729.1144433283254
Content-Type: text/plain; name=qemu-zero-width-console.patch; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Attachment-Id: f_elouivg7
Content-Disposition: attachment; filename="qemu-zero-width-console.patch"

diff -burN qemu-snapshot-2006-03-27_23.orig/console.c qemu-snapshot-2006-03-27_23/console.c
--- qemu-snapshot-2006-03-27_23.orig/console.c	2006-03-11 07:35:30.000000000 -0800
+++ qemu-snapshot-2006-03-27_23/console.c	2006-04-06 00:25:41.000000000 -0700
@@ -407,7 +407,8 @@
     if (s->width < w1)
         w1 = s->width;
 
-    cells = qemu_malloc(s->width * s->total_height * sizeof(TextCell));
+    cells = qemu_malloc((s->width * s->total_height + 1) * sizeof(TextCell));
+    /* Add one extra in case s->width is 0, so we can still store one character. */
     for(y = 0; y < s->total_height; y++) {
         c = &cells[y * s->width];
         if (w1 > 0) {



------=_Part_24971_23008729.1144433283254--