| Message ID | 1476949224-6865-1-git-send-email-ppandit@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Thu, Oct 20, 2016 at 01:10:24PM +0530, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > Intel HDA emulator uses stream of buffers during DMA data > transfers. Each entry has buffer length and buffer pointer > position, which are used to derive bytes to 'copy'. If this > length and buffer pointer were to be same, 'copy' could be > set to zero(0), leading to an infinite loop. Add check to > avoid it. > > Reported-by: Huawei PSIRT <psirt@huawei.com> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/audio/intel-hda.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
On Do, 2016-10-20 at 13:10 +0530, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > Intel HDA emulator uses stream of buffers during DMA data > transfers. Each entry has buffer length and buffer pointer > position, which are used to derive bytes to 'copy'. If this > length and buffer pointer were to be same, 'copy' could be > set to zero(0), leading to an infinite loop. Add check to > avoid it. > > Reported-by: Huawei PSIRT <psirt@huawei.com> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Added to audio patch queue. thanks, Gerd
diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c index cd95340..537face 100644 --- a/hw/audio/intel-hda.c +++ b/hw/audio/intel-hda.c @@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, } left = len; - while (left > 0) { + s = st->bentries; + while (left > 0 && s-- > 0) { copy = left; if (copy > st->bsize - st->lpib) copy = st->bsize - st->lpib;