On Wed, 2 May 2007, Kirill A. Shutemov wrote:
http://secunia.com/advisories/25073/
Any comments ?
AAM - http://lists.gnu.org/archive/html/qemu-devel/2007-04/msg00650.html
SB16/DMA - in attachment
--
vale
Index: hw/dma.c
===================================================================
RCS file: /cvsroot/qemu/qemu/hw/dma.c,v
retrieving revision 1.14
diff -u -r1.14 dma.c
--- hw/dma.c 21 Nov 2005 23:29:55 -0000 1.14
+++ hw/dma.c 2 May 2007 14:23:19 -0000
@@ -438,6 +438,13 @@
write_cont (d, (0x0d << d->dshift), 0);
}
+static int dma_phony_handler (void *opaque, int nchan, int dma_pos, int
dma_len)
+{
+ dolog ("unregistered DMA channel used nchan=%d dma_pos=%d dma_len=%d\n",
+ nchan, dma_pos, dma_len);
+ return dma_pos;
+}
+
/* dshift = 0: 8 bit DMA, 1 = 16 bit DMA */
static void dma_init2(struct dma_cont *d, int base, int dshift,
int page_base, int pageh_base)
@@ -470,6 +477,9 @@
}
qemu_register_reset(dma_reset, d);
dma_reset(d);
+ for (i = 0; i < LENOFA (d->regs); ++i) {
+ d->regs[i].transfer_handler = dma_phony_handler;
+ }
}
static void dma_save (QEMUFile *f, void *opaque)
Index: hw/sb16.c
===================================================================
RCS file: /cvsroot/qemu/qemu/hw/sb16.c,v
retrieving revision 1.23
diff -u -r1.23 sb16.c
--- hw/sb16.c 7 Apr 2007 18:14:41 -0000 1.23
+++ hw/sb16.c 2 May 2007 14:23:19 -0000
@@ -1189,6 +1189,12 @@
SB16State *s = opaque;
int till, copy, written, free;
+ if (s->block_size <= 0) {
+ dolog ("invalid block size=%d nchan=%d dma_pos=%d dma_len=%d\n",
+ s->block_size, nchan, dma_pos, dma_len);
+ return dma_pos;
+ }
+
if (s->left_till_irq < 0) {
s->left_till_irq = s->block_size;
}
