exec: Fix bounce buffer allocation in address_space_map()
This fixes a regression introduced by commite3127ae0c
, which kept the allocation size of the bounce buffer limited to one page in order to avoid unbounded allocations (as explained in the commit message of6d16c2f88
), but broke the reporting of the shortened bounce buffer to the caller. The caller therefore assumes that the full requested size was provided and causes memory corruption when writing beyond the end of the actually allocated buffer. Signed-off-by: Kevin Wolf <kwolf@redhat.com>
This commit is contained in:
parent
ba2ab2f2ca
commit
e85d9db5f6
4
exec.c
4
exec.c
@ -2099,7 +2099,9 @@ void *address_space_map(AddressSpace *as,
|
||||
if (bounce.buffer) {
|
||||
return NULL;
|
||||
}
|
||||
bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, TARGET_PAGE_SIZE);
|
||||
/* Avoid unbounded allocations */
|
||||
l = MIN(l, TARGET_PAGE_SIZE);
|
||||
bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, l);
|
||||
bounce.addr = addr;
|
||||
bounce.len = l;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user