diff options
author | Jan Kiszka <jan.kiszka@siemens.com> | 2010-06-13 14:15:34 +0200 |
---|---|---|
committer | Blue Swirl <blauwirbel@gmail.com> | 2010-06-13 15:32:58 +0300 |
commit | 6982d6647ea98544f76d5ef40ddc23115ff44a77 (patch) | |
tree | 7b70ab8af8e42befe299dac1363a4daedb4e89c2 /hw | |
parent | c3d96978d0faaa8e54003b45619ec0768147d168 (diff) | |
download | qemu-6982d6647ea98544f76d5ef40ddc23115ff44a77.zip qemu-6982d6647ea98544f76d5ef40ddc23115ff44a77.tar.gz qemu-6982d6647ea98544f76d5ef40ddc23115ff44a77.tar.bz2 |
hpet: Catch out-of-bounds timer access
Also prevent out-of-bounds write access to the timers but don't spam the
host console if it triggers.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
Diffstat (limited to 'hw')
-rw-r--r-- | hw/hpet.c | 6 |
1 files changed, 5 insertions, 1 deletions
@@ -294,7 +294,7 @@ static uint32_t hpet_ram_readl(void *opaque, target_phys_addr_t addr) if (index >= 0x100 && index <= 0x3ff) { uint8_t timer_id = (addr - 0x100) / 0x20; if (timer_id > HPET_NUM_TIMERS - 1) { - printf("qemu: timer id out of range\n"); + DPRINTF("qemu: timer id out of range\n"); return 0; } HPETTimer *timer = &s->timer[timer_id]; @@ -383,6 +383,10 @@ static void hpet_ram_writel(void *opaque, target_phys_addr_t addr, DPRINTF("qemu: hpet_ram_writel timer_id = %#x \n", timer_id); HPETTimer *timer = &s->timer[timer_id]; + if (timer_id > HPET_NUM_TIMERS - 1) { + DPRINTF("qemu: timer id out of range\n"); + return; + } switch ((addr - 0x100) % 0x20) { case HPET_TN_CFG: DPRINTF("qemu: hpet_ram_writel HPET_TN_CFG\n"); |