diff options
author | Bandan Das <bsd@redhat.com> | 2018-07-20 17:40:17 -0400 |
---|---|---|
committer | Gerd Hoffmann <kraxel@redhat.com> | 2018-08-21 10:27:59 +0200 |
commit | 406f35d7fcf5f029780d2e0cc9fa0cc37856d57c (patch) | |
tree | 94d6fabe95c83333be396d718157bc08760db668 | |
parent | 47bff13cea8dd3e6ae869c3203723d93bd734637 (diff) | |
download | qemu-406f35d7fcf5f029780d2e0cc9fa0cc37856d57c.zip qemu-406f35d7fcf5f029780d2e0cc9fa0cc37856d57c.tar.gz qemu-406f35d7fcf5f029780d2e0cc9fa0cc37856d57c.tar.bz2 |
dev-mtp: fix buffer allocation for writing file contents
usb_mtp_realloc() was being incorrectly used when allocating
buffer for incoming data. Set d->length only after resizing
the buffer.
Signed-off-by: Bandan Das <bsd@redhat.com>
Message-id: 20180720214020.22897-3-bsd@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-rw-r--r-- | hw/usb/dev-mtp.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index c40b0de..1b72603 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1721,6 +1721,7 @@ static void usb_mtp_get_data(MTPState *s, mtp_container *container, MTPData *d = s->data_out; uint64_t dlen; uint32_t data_len = p->iov.size; + uint64_t total_len; if (!d) { usb_mtp_queue_result(s, RES_INVALID_OBJECTINFO, 0, @@ -1729,10 +1730,11 @@ static void usb_mtp_get_data(MTPState *s, mtp_container *container, } if (d->first) { /* Total length of incoming data */ - d->length = cpu_to_le32(container->length) - sizeof(mtp_container); + total_len = cpu_to_le32(container->length) - sizeof(mtp_container); /* Length of data in this packet */ data_len -= sizeof(mtp_container); - usb_mtp_realloc(d, d->length); + usb_mtp_realloc(d, total_len); + d->length += total_len; d->offset = 0; d->first = false; } |