qemu/hw
Prasad J Pandit 369ff955a8 es1370: check total frame count against current frame
A guest user may set channel frame count via es1370_write()
such that, in es1370_transfer_audio(), total frame count
'size' is lesser than the number of frames that are processed
'cnt'.

    int cnt = d->frame_cnt >> 16;
    int size = d->frame_cnt & 0xffff;

if (size < cnt), it results in incorrect calculations leading
to OOB access issue(s). Add check to avoid it.

Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20200514200608.1744203-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2020-05-25 11:30:03 +02:00
..
9pfs qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
acpi qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
adc hw/*/Makefile.objs: Move many .o files to common-objs 2020-02-04 09:00:57 +01:00
alpha hw/ide: Do ide_drive_get() within pci_ide_create_devs() 2020-03-17 12:22:36 -04:00
arm hw/arm/pxa2xx: Replace hw_error() by qemu_log_mask() 2020-05-21 22:05:27 +01:00
audio es1370: check total frame count against current frame 2020-05-25 11:30:03 +02:00
block hw/block/pflash: Check return value of blk_pwrite() 2020-05-22 19:38:14 +02:00
char hw/char/xilinx_uartlite: Replace hw_error() by qemu_log_mask() 2020-05-21 22:05:27 +01:00
core various: Remove unnecessary OBJECT() cast 2020-05-15 07:08:14 +02:00
cpu qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
cris hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
display hw/arm/pxa2xx: Replace hw_error() by qemu_log_mask() 2020-05-21 22:05:27 +01:00
dma hw/arm/pxa2xx: Replace hw_error() by qemu_log_mask() 2020-05-21 22:05:27 +01:00
gpio ARM: PL061: Introduce N_GPIOS 2020-05-21 22:05:27 +01:00
hppa hw/ide: Remove unneeded inclusion of hw/ide.h 2020-03-17 12:22:36 -04:00
hyperv qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
i2c hw: Remove unnecessary DEVICE() cast 2020-05-15 07:08:52 +02:00
i386 hw: Use QEMU_IS_ALIGNED() on parallel flash block size 2020-05-18 19:05:25 +02:00
ide hw/ide/ahci: Log lost IRQs 2020-05-18 19:05:25 +02:00
input qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
intc qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
ipack qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
ipmi various: Remove unnecessary OBJECT() cast 2020-05-15 07:08:14 +02:00
isa Drop more @errp parameters after previous commit 2020-05-15 07:08:14 +02:00
lm32 hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
m68k hw/m68k: Use memory_region_init_rom() with read-only regions 2020-03-17 15:18:47 +01:00
mem qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
microblaze various: Remove unnecessary OBJECT() cast 2020-05-15 07:08:14 +02:00
mips smbus: Fix spd_data_generate() error API violation 2020-04-29 08:01:52 +02:00
misc hw: Move i.MX watchdog driver to hw/watchdog 2020-05-21 20:00:18 +01:00
moxie hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
net hw: Remove unnecessary DEVICE() cast 2020-05-15 07:08:52 +02:00
nios2 qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
nubus hw: Remove unnecessary DEVICE() cast 2020-05-15 07:08:52 +02:00
nvram qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
openrisc hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
pci qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
pci-bridge pcie_root_port: Add hotplug disabling option 2020-03-08 09:18:29 -04:00
pci-host hw: Remove unnecessary DEVICE() cast 2020-05-15 07:08:52 +02:00
pcmcia qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
ppc hw: Remove unnecessary DEVICE() cast 2020-05-15 07:08:52 +02:00
rdma lockable: Replace locks with lock guard macros 2020-05-04 16:07:43 +01:00
riscv hw: Use QEMU_IS_ALIGNED() on parallel flash block size 2020-05-18 19:05:25 +02:00
rtc qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
s390x various: Remove unnecessary OBJECT() cast 2020-05-15 07:08:14 +02:00
scsi qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
sd qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
semihosting semihosting: add qemu_semihosting_console_inc for SYS_READC 2020-01-09 11:41:29 +00:00
sh4 hw: Remove unnecessary DEVICE() cast 2020-05-15 07:08:52 +02:00
smbios hw/smbios/smbios: Remove unused include 2020-02-06 10:38:57 +01:00
sparc qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
sparc64 qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
ssi qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
timer hw/timer/exynos4210_mct: Replace hw_error() by qemu_log_mask() 2020-05-21 22:05:27 +01:00
tpm hw/tpm: fix usage of bool in tpm-tis.c 2020-05-12 11:47:24 -04:00
tricore hw: Do not initialize MachineClass::is_default to 0 2020-02-28 14:57:19 -05:00
unicore32 hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
usb qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
vfio Revert "hw/display/ramfb: initialize fw-config space with xres/ yres" 2020-05-18 15:42:34 +02:00
virtio qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
watchdog hw/watchdog: Implement full i.MX watchdog support 2020-05-21 20:00:18 +01:00
xen hw: Remove unnecessary DEVICE() cast 2020-05-15 07:08:52 +02:00
xenpv trivial: Remove xenfb_enabled from sysemu.h 2020-02-04 09:00:57 +01:00
xtensa hw/xtensa/xtfpga:fix leak of fdevice tree blob 2020-02-19 10:33:38 +01:00
Kconfig Remove the core bluetooth code 2019-12-17 09:01:14 +01:00
Makefile.objs Remove the core bluetooth code 2019-12-17 09:01:14 +01:00