]>
Commit | Line | Data |
---|---|---|
d37b5565 WB |
1 | From ad0e6e88e0432aa1e6c75f52a6b3b4bf463e2563 Mon Sep 17 00:00:00 2001 |
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | |
3 | Date: Thu, 20 Oct 2016 13:10:24 +0530 | |
4 | Subject: [PATCH 1/8] audio: intel-hda: check stream entry count during | |
5 | transfer | |
6 | ||
7 | Intel HDA emulator uses stream of buffers during DMA data | |
8 | transfers. Each entry has buffer length and buffer pointer | |
9 | position, which are used to derive bytes to 'copy'. If this | |
10 | length and buffer pointer were to be same, 'copy' could be | |
11 | set to zero(0), leading to an infinite loop. Add check to | |
12 | avoid it. | |
13 | ||
14 | Reported-by: Huawei PSIRT <psirt@huawei.com> | |
15 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | |
16 | Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> | |
17 | Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com | |
18 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | |
19 | --- | |
20 | hw/audio/intel-hda.c | 3 ++- | |
21 | 1 file changed, 2 insertions(+), 1 deletion(-) | |
22 | ||
23 | diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c | |
24 | index cd95340..537face 100644 | |
25 | --- a/hw/audio/intel-hda.c | |
26 | +++ b/hw/audio/intel-hda.c | |
27 | @@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, | |
28 | } | |
29 | ||
30 | left = len; | |
31 | - while (left > 0) { | |
32 | + s = st->bentries; | |
33 | + while (left > 0 && s-- > 0) { | |
34 | copy = left; | |
35 | if (copy > st->bsize - st->lpib) | |
36 | copy = st->bsize - st->lpib; | |
37 | -- | |
38 | 2.1.4 | |
39 |