8132122889
A case was reported where s->io_buffer_index can be out of range. The report skimped on the details but it seems to be triggered by s->lba == -1 on the READ/READ CD paths (e.g. by sending an ATAPI command with LBA = 0xFFFFFFFF). For now paper over it with assertions. The first one ensures that there is no overflow when incrementing s->io_buffer_index, the second checks for the buffer overrun. Note that the buffer overrun is only a read, so I am not sure if the assertion failure is actually less harmful than the overrun. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-id: 20201201120926.56559-1-pbonzini@redhat.com Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> |
||
---|---|---|
.. | ||
ahci_internal.h | ||
ahci-allwinner.c | ||
ahci.c | ||
atapi.c | ||
cmd646.c | ||
core.c | ||
ich.c | ||
ioport.c | ||
isa.c | ||
Kconfig | ||
macio.c | ||
meson.build | ||
microdrive.c | ||
mmio.c | ||
pci.c | ||
piix.c | ||
qdev.c | ||
sii3112.c | ||
trace-events | ||
trace.h | ||
via.c |