[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [qemu-xen-traditional stable-4.6] lm832x: don't overrun file buffer on save/restore
commit fb9ee2e1049f7ca8f597a00360745ead64fd974b Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> AuthorDate: Tue Nov 4 11:46:46 2014 +0000 Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> CommitDate: Fri Oct 16 16:52:06 2015 +0100 lm832x: don't overrun file buffer on save/restore Saving and restoring an lm832x record would overrun the pwm.file array since pwm.file is uint16_t elements and sizeof(pwm.file) twice as many elements. To ensure compatibility, padding bytes are added to the record. Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Coverity-IDs: 1055728 1055729 --- hw/lm832x.c | 11 +++++++++-- 1 files changed, 9 insertions(+), 2 deletions(-) diff --git a/hw/lm832x.c b/hw/lm832x.c index dd94310..a212866 100644 --- a/hw/lm832x.c +++ b/hw/lm832x.c @@ -439,8 +439,11 @@ static void lm_kbd_save(QEMUFile *f, void *opaque) qemu_put_byte(f, s->kbd.len); qemu_put_buffer(f, s->kbd.fifo, sizeof(s->kbd.fifo)); - for (i = 0; i < sizeof(s->pwm.file); i ++) + for (i = 0; i < ARRAY_SIZE(s->pwm.file); i ++) qemu_put_be16s(f, &s->pwm.file[i]); + /* Padding for compatibility with older records. */ + for ( ; i < sizeof(s->pwm.file); i++) + qemu_put_be16s(f, 0); qemu_put_8s(f, &s->pwm.faddr); qemu_put_buffer(f, s->pwm.addr, sizeof(s->pwm.addr)); qemu_put_timer(f, s->pwm.tm[0]); @@ -451,6 +454,7 @@ static void lm_kbd_save(QEMUFile *f, void *opaque) static int lm_kbd_load(QEMUFile *f, void *opaque, int version_id) { struct lm_kbd_s *s = (struct lm_kbd_s *) opaque; + uint16_t pad; int i; i2c_slave_load(f, &s->i2c); @@ -475,8 +479,11 @@ static int lm_kbd_load(QEMUFile *f, void *opaque, int version_id) s->kbd.len = qemu_get_byte(f); qemu_get_buffer(f, s->kbd.fifo, sizeof(s->kbd.fifo)); - for (i = 0; i < sizeof(s->pwm.file); i ++) + for (i = 0; i < ARRAY_SIZE(s->pwm.file); i ++) qemu_get_be16s(f, &s->pwm.file[i]); + /* Skip padding. */ + for ( ; i < sizeof(s->pwm.file); i++) + qemu_get_be16(f); qemu_get_8s(f, &s->pwm.faddr); qemu_get_buffer(f, s->pwm.addr, sizeof(s->pwm.addr)); qemu_get_timer(f, s->pwm.tm[0]); -- generated by git-patchbot for /home/xen/git/qemu-xen-traditional.git#stable-4.6 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |