[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 27/59] aio-win32: avoid out-of-bounds access to the e
|
From: |
Stefan Hajnoczi |
|
Subject: |
[Qemu-devel] [PULL 27/59] aio-win32: avoid out-of-bounds access to the events array |
|
Date: |
Fri, 19 Sep 2014 15:41:46 +0100 |
From: Paolo Bonzini <address@hidden>
If ret is WAIT_TIMEOUT and there was an event returned by select(),
we can write to a location after the end of the array. But in
that case we can retry the WaitForMultipleObjects call with the
same set of events, so just move the event[ret - WAIT_OBJECT_0]
assignment inside the existin conditional.
Reported-by: TeLeMan <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Reviewed-by: TeLeMan <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
---
aio-win32.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/aio-win32.c b/aio-win32.c
index 7daeae1..d81313b 100644
--- a/aio-win32.c
+++ b/aio-win32.c
@@ -335,6 +335,7 @@ bool aio_poll(AioContext *ctx, bool blocking)
event = NULL;
if ((DWORD) (ret - WAIT_OBJECT_0) < count) {
event = events[ret - WAIT_OBJECT_0];
+ events[ret - WAIT_OBJECT_0] = events[--count];
} else if (!have_select_revents) {
break;
}
@@ -343,9 +344,6 @@ bool aio_poll(AioContext *ctx, bool blocking)
blocking = false;
progress |= aio_dispatch_handlers(ctx, event);
-
- /* Try again, but only call each handler once. */
- events[ret - WAIT_OBJECT_0] = events[--count];
}
progress |= timerlistgroup_run_timers(&ctx->tlg);
--
1.9.3
- [Qemu-devel] [PULL 16/59] curl: Drop curl_aiocb_info.cancel, (continued)
- [Qemu-devel] [PULL 16/59] curl: Drop curl_aiocb_info.cancel, Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 17/59] qed: Drop qed_aiocb_info.cancel, Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 18/59] quorum: fix quorum_aio_cancel(), Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 19/59] quorum: Convert quorum_aiocb_info.cancel to .cancel_async, Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 20/59] rbd: Drop rbd_aiocb_info.cancel, Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 21/59] sheepdog: Convert sd_aiocb_info.cancel to .cancel_async, Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 22/59] win32-aio: Drop win32_aiocb_info.cancel, Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 23/59] ide: Convert trim_aiocb_info.cancel to .cancel_async, Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 24/59] block: Drop AIOCBInfo.cancel, Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 25/59] block: Rename qemu_aio_release -> qemu_aio_unref, Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 27/59] aio-win32: avoid out-of-bounds access to the events array,
Stefan Hajnoczi <=
- [Qemu-devel] [PULL 28/59] block: Introduce "null" drivers, Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 29/59] qapi: Sort BlockdevDriver enum data list, Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 30/59] qapi: Sort items in BlockdevOptions definition, Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 26/59] qdev-monitor: fix segmentation fault on qdev_device_help(), Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 32/59] qcow2: Add qcow2_signal_corruption(), Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 33/59] qcow2: Use qcow2_signal_corruption() for overlaps, Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 31/59] qapi/block: Add "fatal" to BLOCK_IMAGE_CORRUPTED, Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 34/59] qcow2: Check L1/L2/reftable entries for alignment, Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 35/59] iotests: Add more tests for qcow2 corruption, Stefan Hajnoczi, 2014/09/19
- [Qemu-devel] [PULL 36/59] image-fuzzer: Trivial readability and formatting improvements, Stefan Hajnoczi, 2014/09/19