From nobody Fri Nov 14 23:14:51 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1590479872; cv=none; d=zohomail.com; s=zohoarc; b=Pzy6XC206pBB2GTdrySCHnoFSV/gYH8dF5OxQaiRwQabgN6czKR8m4xQj4zIQDaORRZHH/7JFI7YCM+nWnu1jSjyI1PAgK+OopR0GKoPo3VZyC0VLiG2Gvx8/ylhUAOgFcviGTAtmgaYuOJ/uCdRRjPkLDIQPwS3ofcyDRDo4Zc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1590479872; h=Content-Type:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:To; bh=XKjVgjzeHfNNiDkPKkAQa1ppfJfg/MOx2HQs/UenFpQ=; b=nVp9yIafjbK+Y7ERsazx0uNu4A4aQQxjA2dph50SkZC/OfeK/b9ZI888QLLOgW+zR8/c84RX7bGZmo6qSfH9abGt75hrixEqpBu8Gp3AGXNdcypBCFnPU4m8r6OP2e7YnVQSetmhITUoRBYMTZPCGLAUhNGjEb0xkGzhhI1uyUw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1590479872149804.2664183571686; Tue, 26 May 2020 00:57:52 -0700 (PDT) Received: from localhost ([::1]:33746 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jdUT8-0004iD-P6 for importer@patchew.org; Tue, 26 May 2020 03:57:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45084) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jdUSB-0002wb-V3 for qemu-devel@nongnu.org; Tue, 26 May 2020 03:56:51 -0400 Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:23250 helo=us-smtp-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1jdUSA-0002rf-G4 for qemu-devel@nongnu.org; Tue, 26 May 2020 03:56:51 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-418-6kBLZwY9PcSqOPBNPjShQA-1; Tue, 26 May 2020 03:56:47 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A95AE464; Tue, 26 May 2020 07:56:46 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-113-50.ams2.redhat.com [10.36.113.50]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1BA2360CD0; Tue, 26 May 2020 07:56:42 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id E276B1753B; Tue, 26 May 2020 09:56:39 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1590479809; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:content-type:content-type:in-reply-to:in-reply-to: references:references; bh=XKjVgjzeHfNNiDkPKkAQa1ppfJfg/MOx2HQs/UenFpQ=; b=ST908Tf7UTc1G1z6F611gHUImEsmOvnbeDb1FwxNbG6O9V3PbJYyimkITvlFAL4JaC2h2L yMPVI9wz3jVEXAn/9cmh1dbqirCQ7fWROROIrp7JvyveOhqhqX0dXkzk+PsEd/I5FkE2Ti vRGQjHFZj+IfHJ+PLs6RiGIGaHTxNTU= X-MC-Unique: 6kBLZwY9PcSqOPBNPjShQA-1 From: Gerd Hoffmann To: qemu-devel@nongnu.org Subject: [PULL 1/8] es1370: check total frame count against current frame Date: Tue, 26 May 2020 09:56:32 +0200 Message-Id: <20200526075639.27949-2-kraxel@redhat.com> In-Reply-To: <20200526075639.27949-1-kraxel@redhat.com> References: <20200526075639.27949-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=205.139.110.120; envelope-from=kraxel@redhat.com; helo=us-smtp-1.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/05/26 01:19:28 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Prasad J Pandit , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Markus Armbruster , Aleksandar Markovic , Gerd Hoffmann , Aleksandar Rikalo , Aurelien Jarno Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Prasad J Pandit A guest user may set channel frame count via es1370_write() such that, in es1370_transfer_audio(), total frame count 'size' is lesser than the number of frames that are processed 'cnt'. int cnt =3D d->frame_cnt >> 16; int size =3D d->frame_cnt & 0xffff; if (size < cnt), it results in incorrect calculations leading to OOB access issue(s). Add check to avoid it. Reported-by: Ren Ding Reported-by: Hanqing Zhao Signed-off-by: Prasad J Pandit Message-id: 20200514200608.1744203-1-ppandit@redhat.com Signed-off-by: Gerd Hoffmann --- hw/audio/es1370.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c index 89c4dabcd44f..5f8a83ff5624 100644 --- a/hw/audio/es1370.c +++ b/hw/audio/es1370.c @@ -643,6 +643,9 @@ static void es1370_transfer_audio (ES1370State *s, stru= ct chan *d, int loop_sel, int csc_bytes =3D (csc + 1) << d->shift; int cnt =3D d->frame_cnt >> 16; int size =3D d->frame_cnt & 0xffff; + if (size < cnt) { + return; + } int left =3D ((size - cnt + 1) << 2) + d->leftover; int transferred =3D 0; int temp =3D MIN (max, MIN (left, csc_bytes)); @@ -651,7 +654,7 @@ static void es1370_transfer_audio (ES1370State *s, stru= ct chan *d, int loop_sel, addr +=3D (cnt << 2) + d->leftover; =20 if (index =3D=3D ADC_CHANNEL) { - while (temp) { + while (temp > 0) { int acquired, to_copy; =20 to_copy =3D MIN ((size_t) temp, sizeof (tmpbuf)); @@ -669,7 +672,7 @@ static void es1370_transfer_audio (ES1370State *s, stru= ct chan *d, int loop_sel, else { SWVoiceOut *voice =3D s->dac_voice[index]; =20 - while (temp) { + while (temp > 0) { int copied, to_copy; =20 to_copy =3D MIN ((size_t) temp, sizeof (tmpbuf)); --=20 2.18.4