Fixed possible buffer overflow causing segfault or memory corruption. The
buffers are not large enough for the maximum sector count in LBA48 mode. Now resetting buffer pointers after processing a PRD (and move remaining data if necessary). This should fix the SF bug items #3190970 and #3077616.
This commit is contained in:
parent
93e152ef1a
commit
1df7a9131b
@ -301,6 +301,14 @@ void bx_pci_ide_c::timer()
|
||||
BX_PIDE_THIS s.bmdma[channel].prd_current = 0;
|
||||
DEV_hd_bmdma_complete(channel);
|
||||
} else {
|
||||
// To avoid buffer overflow reset buffer pointers and copy data if necessary
|
||||
count = BX_PIDE_THIS s.bmdma[channel].buffer_top - BX_PIDE_THIS s.bmdma[channel].buffer_idx;
|
||||
if (count > 0) {
|
||||
memcpy(BX_PIDE_THIS s.bmdma[channel].buffer, BX_PIDE_THIS s.bmdma[channel].buffer_idx, count);
|
||||
}
|
||||
BX_PIDE_THIS s.bmdma[channel].buffer_top = BX_PIDE_THIS s.bmdma[channel].buffer + count;
|
||||
BX_PIDE_THIS s.bmdma[channel].buffer_idx = BX_PIDE_THIS s.bmdma[channel].buffer;
|
||||
// Prepare for next PRD
|
||||
BX_PIDE_THIS s.bmdma[channel].prd_current += 8;
|
||||
DEV_MEM_READ_PHYSICAL(BX_PIDE_THIS s.bmdma[channel].prd_current, 4, (Bit8u *)&prd.addr);
|
||||
DEV_MEM_READ_PHYSICAL(BX_PIDE_THIS s.bmdma[channel].prd_current+4, 4, (Bit8u *)&prd.size);
|
||||
|
Loading…
Reference in New Issue
Block a user