From 1df7a9131b9b6efbadd25a7e5c64907b9611c3a2 Mon Sep 17 00:00:00 2001
From: Volker Ruppert <Volker.Ruppert@t-online.de>
Date: Sun, 6 Mar 2011 20:51:52 +0000
Subject: [PATCH] Fixed possible buffer overflow causing segfault or memory
 corruption. The buffers are not large enough for the maximum sector count in
 LBA48 mode. Now resetting buffer pointers after processing a PRD (and move
 remaining data if necessary). This should fix the SF bug items #3190970 and
 #3077616.

---
 bochs/iodev/pci_ide.cc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/bochs/iodev/pci_ide.cc b/bochs/iodev/pci_ide.cc
index 98e99e698..a8a9639ee 100644
--- a/bochs/iodev/pci_ide.cc
+++ b/bochs/iodev/pci_ide.cc
@@ -301,6 +301,14 @@ void bx_pci_ide_c::timer()
     BX_PIDE_THIS s.bmdma[channel].prd_current = 0;
     DEV_hd_bmdma_complete(channel);
   } else {
+    // To avoid buffer overflow reset buffer pointers and copy data if necessary
+    count = BX_PIDE_THIS s.bmdma[channel].buffer_top - BX_PIDE_THIS s.bmdma[channel].buffer_idx;
+    if (count > 0) {
+      memcpy(BX_PIDE_THIS s.bmdma[channel].buffer, BX_PIDE_THIS s.bmdma[channel].buffer_idx, count);
+    }
+    BX_PIDE_THIS s.bmdma[channel].buffer_top = BX_PIDE_THIS s.bmdma[channel].buffer + count;
+    BX_PIDE_THIS s.bmdma[channel].buffer_idx = BX_PIDE_THIS s.bmdma[channel].buffer;
+    // Prepare for next PRD
     BX_PIDE_THIS s.bmdma[channel].prd_current += 8;
     DEV_MEM_READ_PHYSICAL(BX_PIDE_THIS s.bmdma[channel].prd_current, 4, (Bit8u *)&prd.addr);
     DEV_MEM_READ_PHYSICAL(BX_PIDE_THIS s.bmdma[channel].prd_current+4, 4, (Bit8u *)&prd.size);