Jan Kiszka <jan.kis...@web.de> wrote:
> Juan Quintela wrote:
>> Jan Kiszka <jan.kis...@web.de> wrote:
>>> From: Jan Kiszka <jan.kis...@siemens.com>
>>>
>>> Also prevent out-of-bounds write access to the timers but don't spam the
>>> host console if it triggers.
>>>
>>> Signed-off-by: Jan Kiszka <jan.kis...@siemens.com>
>>> ---
>>> hw/hpet.c | 6 +++++-
>>> 1 files changed, 5 insertions(+), 1 deletions(-)
>>>
>>> diff --git a/hw/hpet.c b/hw/hpet.c
>>> index 8729fb2..1980906 100644
>>> --- a/hw/hpet.c
>>> +++ b/hw/hpet.c
>>> @@ -294,7 +294,7 @@ static uint32_t hpet_ram_readl(void *opaque,
>>> target_phys_addr_t addr)
>>> if (index >= 0x100 && index <= 0x3ff) {
>>> uint8_t timer_id = (addr - 0x100) / 0x20;
>>> if (timer_id > HPET_NUM_TIMERS - 1) {
>>> - printf("qemu: timer id out of range\n");
>>> + DPRINTF("qemu: timer id out of range\n");
>>> return 0;
>>> }
>>> HPETTimer *timer = &s->timer[timer_id];
>>> @@ -383,6 +383,10 @@ static void hpet_ram_writel(void *opaque,
>>> target_phys_addr_t addr,
>>> DPRINTF("qemu: hpet_ram_writel timer_id = %#x \n", timer_id);
>>
>> if you are going to check timer_id, check it before accessing the array?
>
> That's just address arithmetic, nothing is dereferenced at this point.
hahahahahha
/me back to the pointer class.
Later, Juan.
