openkylin
/
qemu
mirror of https://gitee.com/openkylin/qemu.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

hw/mcf5206: Fix buffer overflow for MBAR read / write 

Report from smatch:

mcf5206.c:384 m5206_mbar_readb(7) error: buffer overflow 'm5206_mbar_width' 128 <= 128
mcf5206.c:403 m5206_mbar_readw(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
mcf5206.c:427 m5206_mbar_readl(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
mcf5206.c:451 m5206_mbar_writeb(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
mcf5206.c:475 m5206_mbar_writew(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
mcf5206.c:503 m5206_mbar_writel(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128

m5206_mbar_width has 0x80 elements and supports 0 <= offset < 0x200.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
This commit is contained in:
Stefan Weil 2012-09-04 19:37:39 +02:00 committed by Aurelien Jarno
parent 599d64f6dc
commit a32354e206
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
hw/mcf5206.c
View File

@ -378,7 +378,7 @@ static uint32_t m5206_mbar_readb(void *opaque, target_phys_addr_t offset)
{
m5206_mbar_state *s = (m5206_mbar_state *)opaque;
offset &= 0x3ff;
if (offset > 0x200) {
if (offset >= 0x200) {
hw_error("Bad MBAR read offset 0x%x", (int)offset);
}
if (m5206_mbar_width[offset >> 2] > 1) {
@ -397,7 +397,7 @@ static uint32_t m5206_mbar_readw(void *opaque, target_phys_addr_t offset)
m5206_mbar_state *s = (m5206_mbar_state *)opaque;
int width;
offset &= 0x3ff;
if (offset > 0x200) {
if (offset >= 0x200) {
hw_error("Bad MBAR read offset 0x%x", (int)offset);
}
width = m5206_mbar_width[offset >> 2];
@ -421,7 +421,7 @@ static uint32_t m5206_mbar_readl(void *opaque, target_phys_addr_t offset)
m5206_mbar_state *s = (m5206_mbar_state *)opaque;
int width;
offset &= 0x3ff;
if (offset > 0x200) {
if (offset >= 0x200) {
hw_error("Bad MBAR read offset 0x%x", (int)offset);
}
width = m5206_mbar_width[offset >> 2];
@ -445,7 +445,7 @@ static void m5206_mbar_writeb(void *opaque, target_phys_addr_t offset,
m5206_mbar_state *s = (m5206_mbar_state *)opaque;
int width;
offset &= 0x3ff;
if (offset > 0x200) {
if (offset >= 0x200) {
hw_error("Bad MBAR write offset 0x%x", (int)offset);
}
width = m5206_mbar_width[offset >> 2];
@ -469,7 +469,7 @@ static void m5206_mbar_writew(void *opaque, target_phys_addr_t offset,
m5206_mbar_state *s = (m5206_mbar_state *)opaque;
int width;
offset &= 0x3ff;
if (offset > 0x200) {
if (offset >= 0x200) {
hw_error("Bad MBAR write offset 0x%x", (int)offset);
}
width = m5206_mbar_width[offset >> 2];
@ -497,7 +497,7 @@ static void m5206_mbar_writel(void *opaque, target_phys_addr_t offset,
m5206_mbar_state *s = (m5206_mbar_state *)opaque;
int width;
offset &= 0x3ff;
if (offset > 0x200) {
if (offset >= 0x200) {
hw_error("Bad MBAR write offset 0x%x", (int)offset);
}
width = m5206_mbar_width[offset >> 2];