Commit e85d9db5 authored by Kevin Wolf's avatar Kevin Wolf
Browse files

exec: Fix bounce buffer allocation in address_space_map() 



This fixes a regression introduced by commit e3127ae0, which kept the
allocation size of the bounce buffer limited to one page in order to
avoid unbounded allocations (as explained in the commit message of
6d16c2f8), but broke the reporting of the shortened bounce buffer to
the caller. The caller therefore assumes that the full requested size
was provided and causes memory corruption when writing beyond the end of
the actually allocated buffer.

Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
parent ba2ab2f2

exec.c

+3 −1
Original line number Diff line number Diff line
@@ -2099,7 +2099,9 @@ void *address_space_map(AddressSpace *as, 
        if (bounce.buffer) {

            return NULL;

        }

        bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, TARGET_PAGE_SIZE);

        /* Avoid unbounded allocations */

        l = MIN(l, TARGET_PAGE_SIZE);

        bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, l);

        bounce.addr = addr;

        bounce.len = l;