8132122889
A case was reported where s->io_buffer_index can be out of range. The report skimped on the details but it seems to be triggered by s->lba == -1 on the READ/READ CD paths (e.g. by sending an ATAPI command with LBA = 0xFFFFFFFF). For now paper over it with assertions. The first one ensures that there is no overflow when incrementing s->io_buffer_index, the second checks for the buffer overrun. Note that the buffer overrun is only a read, so I am not sure if the assertion failure is actually less harmful than the overrun. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-id: 20201201120926.56559-1-pbonzini@redhat.com Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> |
||
|---|---|---|
| .. | ||
| ahci-allwinner.c | ||
| ahci.c | ||
| ahci_internal.h | ||
| atapi.c | ||
| cmd646.c | ||
| core.c | ||
| ich.c | ||
| ioport.c | ||
| isa.c | ||
| Kconfig | ||
| macio.c | ||
| meson.build | ||
| microdrive.c | ||
| mmio.c | ||
| pci.c | ||
| piix.c | ||
| qdev.c | ||
| sii3112.c | ||
| trace-events | ||
| trace.h | ||
| via.c | ||