Fixed possible buffer overflow causing segfault or memory corruption. The

buffers are not large enough for the maximum sector count in LBA48 mode. Now
resetting buffer pointers after processing a PRD (and move remaining data if
necessary). This should fix the SF bug items #3190970 and #3077616.
This commit is contained in:
Volker Ruppert 2011-03-06 20:51:52 +00:00
parent 93e152ef1a
commit 1df7a9131b

View File

@ -301,6 +301,14 @@ void bx_pci_ide_c::timer()
BX_PIDE_THIS s.bmdma[channel].prd_current = 0;
DEV_hd_bmdma_complete(channel);
} else {
// To avoid buffer overflow reset buffer pointers and copy data if necessary
count = BX_PIDE_THIS s.bmdma[channel].buffer_top - BX_PIDE_THIS s.bmdma[channel].buffer_idx;
if (count > 0) {
memcpy(BX_PIDE_THIS s.bmdma[channel].buffer, BX_PIDE_THIS s.bmdma[channel].buffer_idx, count);
}
BX_PIDE_THIS s.bmdma[channel].buffer_top = BX_PIDE_THIS s.bmdma[channel].buffer + count;
BX_PIDE_THIS s.bmdma[channel].buffer_idx = BX_PIDE_THIS s.bmdma[channel].buffer;
// Prepare for next PRD
BX_PIDE_THIS s.bmdma[channel].prd_current += 8;
DEV_MEM_READ_PHYSICAL(BX_PIDE_THIS s.bmdma[channel].prd_current, 4, (Bit8u *)&prd.addr);
DEV_MEM_READ_PHYSICAL(BX_PIDE_THIS s.bmdma[channel].prd_current+4, 4, (Bit8u *)&prd.size);