qemu/hw/audio
Prasad J Pandit 369ff955a8 es1370: check total frame count against current frame
A guest user may set channel frame count via es1370_write()
such that, in es1370_transfer_audio(), total frame count
'size' is lesser than the number of frames that are processed
'cnt'.

    int cnt = d->frame_cnt >> 16;
    int size = d->frame_cnt & 0xffff;

if (size < cnt), it results in incorrect calculations leading
to OOB access issue(s). Add check to avoid it.

Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20200514200608.1744203-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2020-05-25 11:30:03 +02:00
..
ac97.c Compress lines for immediate return 2020-05-04 14:43:22 +02:00
adlib.c Compress lines for immediate return 2020-05-04 14:43:22 +02:00
cs4231.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
cs4231a.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
es1370.c es1370: check total frame count against current frame 2020-05-25 11:30:03 +02:00
fmopl.c hw/audio/fmopl: fix segmentation fault 2020-03-25 09:55:40 +01:00
fmopl.h fmops: fix off-by-one in AR_TABLE and DR_TABLE array size 2018-11-26 11:15:32 +01:00
gus.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
gusemu_hal.c fix "Missing break in switch" coverity reports 2018-08-23 13:32:50 +02:00
gusemu_mixer.c audio: GUSsample is int16_t 2017-05-04 09:16:05 +02:00
gusemu.h audio: GUSsample is int16_t 2017-05-04 09:16:05 +02:00
gustate.h Clean up decorations and whitespace around header guards 2016-07-12 16:20:46 +02:00
hda-codec-common.h hda-codec: make mixemu selectable at runtime 2013-09-24 10:29:34 +02:00
hda-codec.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
intel-hda-defs.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
intel-hda.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
intel-hda.h Include hw/qdev-properties.h less 2019-08-16 13:31:53 +02:00
Kconfig i2c: express dependencies with Kconfig 2019-03-07 21:45:53 +01:00
lm4549.c Include migration/vmstate.h less 2019-08-16 13:31:52 +02:00
lm4549.h Include exec/memory.h slightly less 2019-08-16 13:31:52 +02:00
Makefile.objs audio: Move arch_init audio code to hw/audio/soundhw.c 2017-05-19 10:48:53 +02:00
marvell_88w8618.c qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
milkymist-ac97.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
pcspk.c qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
pl041.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
pl041.h Clean up decorations and whitespace around header guards 2016-07-12 16:20:46 +02:00
pl041.hx hw: move target-independent files to subdirectories 2013-04-08 18:13:12 +02:00
sb16.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
soundhw.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
trace-events trace-events: Shorten file names in comments 2019-03-22 16:18:07 +00:00
wm8750.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00