-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1 iQIcBAABAgAGBQJVUzrzAAoJEH3vgQaq/DkOXS8QALd0l54nibDK8CA8ApUZeUns frOmGf4bsP88YrJww0alYEiu3ERT4hmjqKkltcyioVFY2t/CuVwCkoayAKac4ga0 sg1pfAMwBG5mGfQ67N/9h+rivJkCboChK0tIaVKD78+G9ez564rVkt5Px8MD3PKP SpatJSrfmOe5DjNVdlbgsNxuMEYZsI/req+G6kRJEddoHSIrQ6Ow/bk8Y5OLr1YV GLCCb2n/G4tAkSb1akmVXBx+WqIWrtXyQVz//jWV1g4zMS773vco2jHZMDfPt1we NvMoEo7uac8txlTYTXrHBFI19h+rW5jXs7+eYyM2bI04xZntEdxJzM1AIKoqzQUk EtGmnGLNsrKg7hrIxcjHwJ09sBl3VkIj62PYUiyhXRB1t7b2bg5IOaRUESCZDnhQ XV6ygdi6uGYoAiaM7JJ7FCt3k/xBFTPEHmyNTC+5Pza3mP5GXifNpDgLRPWP0ufG EBnUdWDiWIYY6FNa/Z4A5BX5gu41vVQkGNMVjOc8rbZ7iuaGJxay1epVQyuH9vll vZ8mUtFowvzWfGZGK/hjXVN7a3NK1N+JzVse1zVwqrf6z3nJXDd/Unn1ZfTcjHZb 0nBfe1WJRfsDOEgwYescjqckIwfcsLn1w+Q5MG76dQ6w2PeZcqaRf1LEl4sbiMSO G+1YypZjZ2hJIwwBUam9 =D51H -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/jnsnow/tags/ide-cve-pull-request' into staging # gpg: Signature made Wed May 13 12:52:19 2015 BST using RSA key ID AAFC390E # gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: FAEB 9711 A12C F475 812F 18F2 88A9 064D 1835 61EB # Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76 CBD0 7DEF 8106 AAFC 390E * remotes/jnsnow/tags/ide-cve-pull-request: fdc: force the fifo access to be in bounds of the allocated buffer Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
commit
4d2d2d8b21
@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
|
||||
{
|
||||
FDrive *cur_drv;
|
||||
uint32_t retval = 0;
|
||||
int pos;
|
||||
uint32_t pos;
|
||||
|
||||
cur_drv = get_cur_drv(fdctrl);
|
||||
fdctrl->dsr &= ~FD_DSR_PWRDOWN;
|
||||
@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
|
||||
return 0;
|
||||
}
|
||||
pos = fdctrl->data_pos;
|
||||
pos %= FD_SECTOR_LEN;
|
||||
if (fdctrl->msr & FD_MSR_NONDMA) {
|
||||
pos %= FD_SECTOR_LEN;
|
||||
if (pos == 0) {
|
||||
if (fdctrl->data_pos != 0)
|
||||
if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
|
||||
@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
|
||||
static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
|
||||
{
|
||||
FDrive *cur_drv = get_cur_drv(fdctrl);
|
||||
uint32_t pos;
|
||||
|
||||
if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
|
||||
pos = fdctrl->data_pos - 1;
|
||||
pos %= FD_SECTOR_LEN;
|
||||
if (fdctrl->fifo[pos] & 0x80) {
|
||||
/* Command parameters done */
|
||||
if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
|
||||
if (fdctrl->fifo[pos] & 0x40) {
|
||||
fdctrl->fifo[0] = fdctrl->fifo[1];
|
||||
fdctrl->fifo[2] = 0;
|
||||
fdctrl->fifo[3] = 0;
|
||||
@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
|
||||
static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
|
||||
{
|
||||
FDrive *cur_drv;
|
||||
int pos;
|
||||
uint32_t pos;
|
||||
|
||||
/* Reset mode */
|
||||
if (!(fdctrl->dor & FD_DOR_nRESET)) {
|
||||
@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
|
||||
}
|
||||
|
||||
FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
|
||||
fdctrl->fifo[fdctrl->data_pos++] = value;
|
||||
pos = fdctrl->data_pos++;
|
||||
pos %= FD_SECTOR_LEN;
|
||||
fdctrl->fifo[pos] = value;
|
||||
if (fdctrl->data_pos == fdctrl->data_len) {
|
||||
/* We now have all parameters
|
||||
* and will be able to treat the command
|
||||
|
Loading…
Reference in New Issue
Block a user