|
 |
a0f6152 |
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
|
a0f6152 |
Date: Thu, 20 Oct 2016 13:10:24 +0530
|
|
|
a0f6152 |
Subject: [PATCH] audio: intel-hda: check stream entry count during transfer
|
|
|
a0f6152 |
|
|
|
a0f6152 |
Intel HDA emulator uses stream of buffers during DMA data
|
|
|
a0f6152 |
transfers. Each entry has buffer length and buffer pointer
|
|
|
a0f6152 |
position, which are used to derive bytes to 'copy'. If this
|
|
|
a0f6152 |
length and buffer pointer were to be same, 'copy' could be
|
|
|
a0f6152 |
set to zero(0), leading to an infinite loop. Add check to
|
|
|
a0f6152 |
avoid it.
|
|
|
a0f6152 |
|
|
|
a0f6152 |
Reported-by: Huawei PSIRT <psirt@huawei.com>
|
|
|
a0f6152 |
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
|
a0f6152 |
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
|
a0f6152 |
Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com
|
|
|
a0f6152 |
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
a0f6152 |
(cherry picked from commit 0c0fc2b5fd534786051889459848764edd798050)
|
|
|
a0f6152 |
---
|
|
|
a0f6152 |
hw/audio/intel-hda.c | 3 ++-
|
|
|
a0f6152 |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
a0f6152 |
|
|
|
a0f6152 |
diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
|
|
|
a0f6152 |
index cd95340..537face 100644
|
|
|
a0f6152 |
--- a/hw/audio/intel-hda.c
|
|
|
a0f6152 |
+++ b/hw/audio/intel-hda.c
|
|
|
a0f6152 |
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
|
|
|
a0f6152 |
}
|
|
|
a0f6152 |
|
|
|
a0f6152 |
left = len;
|
|
|
a0f6152 |
- while (left > 0) {
|
|
|
a0f6152 |
+ s = st->bentries;
|
|
|
a0f6152 |
+ while (left > 0 && s-- > 0) {
|
|
|
a0f6152 |
copy = left;
|
|
|
a0f6152 |
if (copy > st->bsize - st->lpib)
|
|
|
a0f6152 |
copy = st->bsize - st->lpib;
|