From: Prasad J Pandit <p...@fedoraproject.org>
While accessing script ram[2048] via 'lsi_ram_read/write' routines,
'addr' could exceed the ram range. Mask high order bits to avoid
OOB access.
Reported-by: Mark Kanda <mark.ka...@oracle.com>
Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
---
hw/scsi/lsi53c895a.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 3f207f607c..0800df416e 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -2035,6 +2035,7 @@ static void lsi_ram_write(void *opaque, hwaddr addr,
uint32_t mask;
int shift;
+ addr &= 0x01FFF;
newval = s->script_ram[addr >> 2];
shift = (addr & 3) * 8;
mask = ((uint64_t)1 << (size * 8)) - 1;
@@ -2050,6 +2051,7 @@ static uint64_t lsi_ram_read(void *opaque, hwaddr addr,
uint32_t val;
uint32_t mask;
+ addr &= 0x01FFF;
val = s->script_ram[addr >> 2];
mask = ((uint64_t)1 << (size * 8)) - 1;
val >>= (addr & 3) * 8;
--
2.17.2
