diff options
author | Peter Maydell <peter.maydell@linaro.org> | 2021-01-23 22:34:21 +0000 |
---|---|---|
committer | Peter Maydell <peter.maydell@linaro.org> | 2021-01-23 22:34:21 +0000 |
commit | e81eb5e6d108008445821e4f891fb9563016c71b (patch) | |
tree | 3d4519060779ec276ec4d2e592b2109e4cfca614 /hw | |
parent | e93c65a6c64fa18b0c61fb9338d364cbea32b6ef (diff) | |
parent | ccd3b3b8112b670fdccf8a392b8419b173ffccb4 (diff) | |
download | qemu-e81eb5e6d108008445821e4f891fb9563016c71b.zip qemu-e81eb5e6d108008445821e4f891fb9563016c71b.tar.gz qemu-e81eb5e6d108008445821e4f891fb9563016c71b.tar.bz2 |
Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into staging
* Make MinGW respect --bindir (Joshua)
* Switch MinGW to a "deep" installation (Joshua + NSIS fixes by myself)
* Fix compilation errors/warnings (Qixin, Philippe)
* QemuOpts cleanups (myself)
* Consistency improvements for -action (myself)
* remove deprecated "change vnc TARGET" functionality (myself)
* meson cleanups (Marc-André, Philippe, myself)
* IDE out-of-bounds access (Prasad)
* LA57 fix for -cpu max (Weijiang)
# gpg: Signature made Sat 23 Jan 2021 20:55:59 GMT
# gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg: issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full]
# gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full]
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* remotes/bonzini-gitlab/tags/for-upstream: (30 commits)
qemu-option: warn for short-form boolean options
qemu-option: move help handling to get_opt_name_value
qemu-option: clean up id vs. list->merge_lists
vnc: support "-vnc help"
qmp: remove deprecated "change" command
hmp: remove "change vnc TARGET" command
acceptance: switch to QMP change-vnc-password command
meson.build: Detect bzip2 program
meson.build: Declare global edk2_targets / install_edk2_blobs variables
meson: Add a section header for library dependencies
meson: Display crypto-related information altogether
meson: Display block layer information altogether
meson: Display accelerators and selected targets altogether
meson: Summarize compilation-related information altogether
meson: Summarize overall features altogether
meson: Display host binaries information altogether
meson: Summarize information related to directories first
meson: convert wixl detection to Meson
nsis: adjust for new MinGW paths
meson: Declare have_virtfs_proxy_helper in main meson.build
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw')
-rw-r--r-- | hw/ide/atapi.c | 30 |
1 files changed, 24 insertions, 6 deletions
diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c index e791578..b626199 100644 --- a/hw/ide/atapi.c +++ b/hw/ide/atapi.c @@ -322,6 +322,8 @@ static void ide_atapi_cmd_reply(IDEState *s, int size, int max_size) static void ide_atapi_cmd_read_pio(IDEState *s, int lba, int nb_sectors, int sector_size) { + assert(0 <= lba && lba < (s->nb_sectors >> 2)); + s->lba = lba; s->packet_transfer_size = nb_sectors * sector_size; s->elementary_transfer_size = 0; @@ -420,6 +422,8 @@ eot: static void ide_atapi_cmd_read_dma(IDEState *s, int lba, int nb_sectors, int sector_size) { + assert(0 <= lba && lba < (s->nb_sectors >> 2)); + s->lba = lba; s->packet_transfer_size = nb_sectors * sector_size; s->io_buffer_size = 0; @@ -973,35 +977,49 @@ static void cmd_prevent_allow_medium_removal(IDEState *s, uint8_t* buf) static void cmd_read(IDEState *s, uint8_t* buf) { - int nb_sectors, lba; + unsigned int nb_sectors, lba; + + /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */ + uint64_t total_sectors = s->nb_sectors >> 2; if (buf[0] == GPCMD_READ_10) { nb_sectors = lduw_be_p(buf + 7); } else { nb_sectors = ldl_be_p(buf + 6); } - - lba = ldl_be_p(buf + 2); if (nb_sectors == 0) { ide_atapi_cmd_ok(s); return; } + lba = ldl_be_p(buf + 2); + if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) { + ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR); + return; + } + ide_atapi_cmd_read(s, lba, nb_sectors, 2048); } static void cmd_read_cd(IDEState *s, uint8_t* buf) { - int nb_sectors, lba, transfer_request; + unsigned int nb_sectors, lba, transfer_request; - nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8]; - lba = ldl_be_p(buf + 2); + /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */ + uint64_t total_sectors = s->nb_sectors >> 2; + nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8]; if (nb_sectors == 0) { ide_atapi_cmd_ok(s); return; } + lba = ldl_be_p(buf + 2); + if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) { + ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR); + return; + } + transfer_request = buf[9] & 0xf8; if (transfer_request == 0x00) { /* nothing */ |