Commit 406f35d7 authored by Bandan Das's avatar Bandan Das Committed by Gerd Hoffmann
Browse files

dev-mtp: fix buffer allocation for writing file contents 



usb_mtp_realloc() was being incorrectly used when allocating
buffer for incoming data. Set d->length only after resizing
the buffer.

Signed-off-by: default avatarBandan Das <bsd@redhat.com>
Message-id: 20180720214020.22897-3-bsd@redhat.com
Signed-off-by: default avatarGerd Hoffmann <kraxel@redhat.com>
parent 47bff13c

hw/usb/dev-mtp.c

+4 −2
Original line number Diff line number Diff line
@@ -1721,6 +1721,7 @@ static void usb_mtp_get_data(MTPState *s, mtp_container *container, 
    MTPData *d = s->data_out;

    uint64_t dlen;

    uint32_t data_len = p->iov.size;

    uint64_t total_len;



    if (!d) {

            usb_mtp_queue_result(s, RES_INVALID_OBJECTINFO, 0,
@@ -1729,10 +1730,11 @@ static void usb_mtp_get_data(MTPState *s, mtp_container *container, 
    }

    if (d->first) {

        /* Total length of incoming data */

        d->length = cpu_to_le32(container->length) - sizeof(mtp_container);

        total_len = cpu_to_le32(container->length) - sizeof(mtp_container);

        /* Length of data in this packet */

        data_len -= sizeof(mtp_container);

        usb_mtp_realloc(d, d->length);

        usb_mtp_realloc(d, total_len);

        d->length += total_len;

        d->offset = 0;

        d->first = false;

    }