[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [4293] FDC: Fix buffer overflow (Herv?\195?\169 Poussineau)
From: |
Blue Swirl |
Subject: |
[Qemu-devel] [4293] FDC: Fix buffer overflow (Herv?\195?\169 Poussineau) |
Date: |
Thu, 01 May 2008 19:03:32 +0000 |
Revision: 4293
http://svn.sv.gnu.org/viewvc/?view=rev&root=qemu&revision=4293
Author: blueswir1
Date: 2008-05-01 19:03:31 +0000 (Thu, 01 May 2008)
Log Message:
-----------
FDC: Fix buffer overflow (Herv?\195?\169 Poussineau)
In floppy controller, programming PIO writes which are more than one sector
long leads to a buffer overflow of the fdtrl->fifo[] array.
Modified Paths:
--------------
trunk/hw/fdc.c
Modified: trunk/hw/fdc.c
===================================================================
--- trunk/hw/fdc.c 2008-05-01 18:21:46 UTC (rev 4292)
+++ trunk/hw/fdc.c 2008-05-01 19:03:31 UTC (rev 4293)
@@ -1770,8 +1770,10 @@
/* Is it write command time ? */
if (fdctrl->msr & FD_MSR_NONDMA) {
/* FIFO data write */
- fdctrl->fifo[fdctrl->data_pos++] = value;
- if (fdctrl->data_pos % FD_SECTOR_LEN == (FD_SECTOR_LEN - 1) ||
+ pos = fdctrl->data_pos++;
+ pos %= FD_SECTOR_LEN;
+ fdctrl->fifo[pos] = value;
+ if (pos == FD_SECTOR_LEN - 1 ||
fdctrl->data_pos == fdctrl->data_len) {
cur_drv = get_cur_drv(fdctrl);
if (bdrv_write(cur_drv->bs, fd_sector(cur_drv), fdctrl->fifo, 1) <
0) {
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-devel] [4293] FDC: Fix buffer overflow (Herv?\195?\169 Poussineau),
Blue Swirl <=