update to qemu-2.9.0-rc2

[pve-qemu-kvm.git] / debian / patches / extra / CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch

diff --git a/debian/patches/extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch b/debian/patches/extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch
deleted file mode 100644 (file)
index d8102b3..0000000
--- a/debian/patches/extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From ad0e6e88e0432aa1e6c75f52a6b3b4bf463e2563 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 20 Oct 2016 13:10:24 +0530
-Subject: [PATCH 1/8] audio: intel-hda: check stream entry count during
- transfer
-
-Intel HDA emulator uses stream of buffers during DMA data
-transfers. Each entry has buffer length and buffer pointer
-position, which are used to derive bytes to 'copy'. If this
-length and buffer pointer were to be same, 'copy' could be
-set to zero(0), leading to an infinite loop. Add check to
-avoid it.
-
-Reported-by: Huawei PSIRT <psirt@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/audio/intel-hda.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
-index cd95340..537face 100644
---- a/hw/audio/intel-hda.c
-+++ b/hw/audio/intel-hda.c
-@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
-     }
- 
-     left = len;
--    while (left > 0) {
-+    s = st->bentries;
-+    while (left > 0 && s-- > 0) {
-         copy = left;
-         if (copy > st->bsize - st->lpib)
-             copy = st->bsize - st->lpib;
--- 
-2.1.4
-