-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1
 
 iQIcBAABAgAGBQJVUzrzAAoJEH3vgQaq/DkOXS8QALd0l54nibDK8CA8ApUZeUns
 frOmGf4bsP88YrJww0alYEiu3ERT4hmjqKkltcyioVFY2t/CuVwCkoayAKac4ga0
 sg1pfAMwBG5mGfQ67N/9h+rivJkCboChK0tIaVKD78+G9ez564rVkt5Px8MD3PKP
 SpatJSrfmOe5DjNVdlbgsNxuMEYZsI/req+G6kRJEddoHSIrQ6Ow/bk8Y5OLr1YV
 GLCCb2n/G4tAkSb1akmVXBx+WqIWrtXyQVz//jWV1g4zMS773vco2jHZMDfPt1we
 NvMoEo7uac8txlTYTXrHBFI19h+rW5jXs7+eYyM2bI04xZntEdxJzM1AIKoqzQUk
 EtGmnGLNsrKg7hrIxcjHwJ09sBl3VkIj62PYUiyhXRB1t7b2bg5IOaRUESCZDnhQ
 XV6ygdi6uGYoAiaM7JJ7FCt3k/xBFTPEHmyNTC+5Pza3mP5GXifNpDgLRPWP0ufG
 EBnUdWDiWIYY6FNa/Z4A5BX5gu41vVQkGNMVjOc8rbZ7iuaGJxay1epVQyuH9vll
 vZ8mUtFowvzWfGZGK/hjXVN7a3NK1N+JzVse1zVwqrf6z3nJXDd/Unn1ZfTcjHZb
 0nBfe1WJRfsDOEgwYescjqckIwfcsLn1w+Q5MG76dQ6w2PeZcqaRf1LEl4sbiMSO
 G+1YypZjZ2hJIwwBUam9
 =D51H
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/jnsnow/tags/ide-cve-pull-request' into staging

# gpg: Signature made Wed May 13 12:52:19 2015 BST using RSA key ID AAFC390E
# gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 61EB
#      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 390E

* remotes/jnsnow/tags/ide-cve-pull-request:
  fdc: force the fifo access to be in bounds of the allocated buffer

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
Peter Maydell 2015-05-13 13:57:44 +01:00
commit 4d2d2d8b21

View File

@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
{
FDrive *cur_drv;
uint32_t retval = 0;
int pos;
uint32_t pos;
cur_drv = get_cur_drv(fdctrl);
fdctrl->dsr &= ~FD_DSR_PWRDOWN;
@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
return 0;
}
pos = fdctrl->data_pos;
pos %= FD_SECTOR_LEN;
if (fdctrl->msr & FD_MSR_NONDMA) {
pos %= FD_SECTOR_LEN;
if (pos == 0) {
if (fdctrl->data_pos != 0)
if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
{
FDrive *cur_drv = get_cur_drv(fdctrl);
uint32_t pos;
if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
pos = fdctrl->data_pos - 1;
pos %= FD_SECTOR_LEN;
if (fdctrl->fifo[pos] & 0x80) {
/* Command parameters done */
if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
if (fdctrl->fifo[pos] & 0x40) {
fdctrl->fifo[0] = fdctrl->fifo[1];
fdctrl->fifo[2] = 0;
fdctrl->fifo[3] = 0;
@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
{
FDrive *cur_drv;
int pos;
uint32_t pos;
/* Reset mode */
if (!(fdctrl->dor & FD_DOR_nRESET)) {
@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
}
FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
fdctrl->fifo[fdctrl->data_pos++] = value;
pos = fdctrl->data_pos++;
pos %= FD_SECTOR_LEN;
fdctrl->fifo[pos] = value;
if (fdctrl->data_pos == fdctrl->data_len) {
/* We now have all parameters
* and will be able to treat the command