From 369ff955a8497988d079c4e3fa1e93c2570c1c69 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Fri, 15 May 2020 01:36:08 +0530 Subject: es1370: check total frame count against current frame A guest user may set channel frame count via es1370_write() such that, in es1370_transfer_audio(), total frame count 'size' is lesser than the number of frames that are processed 'cnt'. int cnt = d->frame_cnt >> 16; int size = d->frame_cnt & 0xffff; if (size < cnt), it results in incorrect calculations leading to OOB access issue(s). Add check to avoid it. Reported-by: Ren Ding Reported-by: Hanqing Zhao Signed-off-by: Prasad J Pandit Message-id: 20200514200608.1744203-1-ppandit@redhat.com Signed-off-by: Gerd Hoffmann --- hw/audio/es1370.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'hw') diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c index 89c4dab..5f8a83f 100644 --- a/hw/audio/es1370.c +++ b/hw/audio/es1370.c @@ -643,6 +643,9 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, int csc_bytes = (csc + 1) << d->shift; int cnt = d->frame_cnt >> 16; int size = d->frame_cnt & 0xffff; + if (size < cnt) { + return; + } int left = ((size - cnt + 1) << 2) + d->leftover; int transferred = 0; int temp = MIN (max, MIN (left, csc_bytes)); @@ -651,7 +654,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, addr += (cnt << 2) + d->leftover; if (index == ADC_CHANNEL) { - while (temp) { + while (temp > 0) { int acquired, to_copy; to_copy = MIN ((size_t) temp, sizeof (tmpbuf)); @@ -669,7 +672,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, else { SWVoiceOut *voice = s->dac_voice[index]; - while (temp) { + while (temp > 0) { int copied, to_copy; to_copy = MIN ((size_t) temp, sizeof (tmpbuf)); -- cgit v1.1 From 2f097e1964dc25a5633a54cae15ff068e9473196 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Tue, 5 May 2020 12:07:50 +0200 Subject: hw/audio/gus: Use AUDIO_HOST_ENDIANNESS definition from 'audio/audio.h' MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use the generic AUDIO_HOST_ENDIANNESS definition instead of a custom one. Signed-off-by: Philippe Mathieu-Daudé Message-id: 20200505100750.27332-1-f4bug@amsat.org Signed-off-by: Gerd Hoffmann --- hw/audio/gus.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'hw') diff --git a/hw/audio/gus.c b/hw/audio/gus.c index eb4a803..c8df2bd 100644 --- a/hw/audio/gus.c +++ b/hw/audio/gus.c @@ -41,12 +41,6 @@ #define ldebug(...) #endif -#ifdef HOST_WORDS_BIGENDIAN -#define GUS_ENDIANNESS 1 -#else -#define GUS_ENDIANNESS 0 -#endif - #define TYPE_GUS "gus" #define GUS(obj) OBJECT_CHECK (GUSState, (obj), TYPE_GUS) @@ -256,7 +250,7 @@ static void gus_realizefn (DeviceState *dev, Error **errp) as.freq = s->freq; as.nchannels = 2; as.fmt = AUDIO_FORMAT_S16; - as.endianness = GUS_ENDIANNESS; + as.endianness = AUDIO_HOST_ENDIANNESS; s->voice = AUD_open_out ( &s->card, -- cgit v1.1 From b3b8a1fea6ed5004bbad2f70833caee70402bf02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Fri, 15 May 2020 10:42:09 +0200 Subject: hw/mips/mips_fulong2e: Remove unused 'audio/audio.h' include MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Fuloong machine never had to use "audio/audio.h", remove it. Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Huacai Chen Message-id: 20200515084209.9419-1-f4bug@amsat.org Signed-off-by: Gerd Hoffmann --- hw/mips/mips_fulong2e.c | 1 - 1 file changed, 1 deletion(-) (limited to 'hw') diff --git a/hw/mips/mips_fulong2e.c b/hw/mips/mips_fulong2e.c index ef02d54..05b9efa 100644 --- a/hw/mips/mips_fulong2e.c +++ b/hw/mips/mips_fulong2e.c @@ -33,7 +33,6 @@ #include "hw/mips/mips.h" #include "hw/mips/cpudevs.h" #include "hw/pci/pci.h" -#include "audio/audio.h" #include "qemu/log.h" #include "hw/loader.h" #include "hw/ide/pci.h" -- cgit v1.1