Commit 4d2d2d8b authored by Peter Maydell's avatar Peter Maydell
Browse files

Merge remote-tracking branch 'remotes/jnsnow/tags/ide-cve-pull-request' into staging 



# gpg: Signature made Wed May 13 12:52:19 2015 BST using RSA key ID AAFC390E
# gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 61EB
#      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 390E

* remotes/jnsnow/tags/ide-cve-pull-request:
  fdc: force the fifo access to be in bounds of the allocated buffer

Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
parents 968bb75c e9077462

hw/block/fdc.c

+11 −6
Original line number Diff line number Diff line
@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) 
{

    FDrive *cur_drv;

    uint32_t retval = 0;

    int pos;

    uint32_t pos;



    cur_drv = get_cur_drv(fdctrl);

    fdctrl->dsr &= ~FD_DSR_PWRDOWN;
@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) 
        return 0;

    }

    pos = fdctrl->data_pos;

    if (fdctrl->msr & FD_MSR_NONDMA) {

    pos %= FD_SECTOR_LEN;

    if (fdctrl->msr & FD_MSR_NONDMA) {

        if (pos == 0) {

            if (fdctrl->data_pos != 0)

                if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) 
static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)

{

    FDrive *cur_drv = get_cur_drv(fdctrl);

    uint32_t pos;



    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {

    pos = fdctrl->data_pos - 1;

    pos %= FD_SECTOR_LEN;

    if (fdctrl->fifo[pos] & 0x80) {

        /* Command parameters done */

        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {

        if (fdctrl->fifo[pos] & 0x40) {

            fdctrl->fifo[0] = fdctrl->fifo[1];

            fdctrl->fifo[2] = 0;

            fdctrl->fifo[3] = 0;
@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; 
static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)

{

    FDrive *cur_drv;

    int pos;

    uint32_t pos;



    /* Reset mode */

    if (!(fdctrl->dor & FD_DOR_nRESET)) {
@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) 
    }



    FLOPPY_DPRINTF("%s: %02x\n", __func__, value);

    fdctrl->fifo[fdctrl->data_pos++] = value;

    pos = fdctrl->data_pos++;

    pos %= FD_SECTOR_LEN;

    fdctrl->fifo[pos] = value;

    if (fdctrl->data_pos == fdctrl->data_len) {

        /* We now have all parameters

         * and will be able to treat the command