diff mbox series

hw/display/xlnx_dp: fix overflow in xlnx_dp_aux_push_rx_fifo()

Message ID 20230105125713.450275-1-cyruscyliu@gmail.com (mailing list archive)
State New, archived
Headers show
Series hw/display/xlnx_dp: fix overflow in xlnx_dp_aux_push_rx_fifo() | expand

Commit Message

Qiang Liu Jan. 5, 2023, 12:57 p.m. UTC 
Check s->rx_fifo before pushing data into it.

Fixes: 58ac482a66de ("introduce xlnx-dp")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1419
Reported-by: Qiang Liu <cyruscyliu@gmail.com>
Signed-off-by: Qiang Liu <cyruscyliu@gmail.com>
---
 hw/display/xlnx_dp.c | 4 ++++
 1 file changed, 4 insertions(+)
diff mbox series

Patch

diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
index 322e2faadd..972473d94f 100644
--- a/hw/display/xlnx_dp.c
+++ b/hw/display/xlnx_dp.c
@@ -508,6 +508,10 @@  static void xlnx_dp_aux_set_command(XlnxDPState *s, uint32_t value)
     case READ_AUX:
     case READ_I2C:
     case READ_I2C_MOT:
+        if (nbytes > fifo8_num_free(&s->rx_fifo)) {
+            qemu_log_mask(LOG_GUEST_ERROR, "xlnx_dp: RX length > available fifo data length");
+            nbytes = fifo8_num_free(&s->rx_fifo);
+        }
         s->core_registers[DP_AUX_REPLY_CODE] = aux_request(s->aux_bus, cmd,
                                                xlnx_dp_aux_get_address(s),
                                                nbytes, buf);