lm832x: don't overrun file buffer on save/restore

Saving and restoring an lm832x record would overrun the pwm.file array
since pwm.file is uint16_t elements and sizeof(pwm.file) twice as many
elements.

To ensure compatibility, padding bytes are added to the record.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Coverity-IDs: 1055728 1055729

diff --git a/hw/lm832x.c b/hw/lm832x.c
index dd94310f673a4e1765d313369fb43515f184fa1b..a2128663d781361181e0ee457121e6147c737626 100644 (file)
--- a/hw/lm832x.c
+++ b/hw/lm832x.c
@@ -439,8 +439,11 @@ static void lm_kbd_save(QEMUFile *f, void *opaque)
     qemu_put_byte(f, s->kbd.len);
     qemu_put_buffer(f, s->kbd.fifo, sizeof(s->kbd.fifo));
 
-    for (i = 0; i < sizeof(s->pwm.file); i ++)
+    for (i = 0; i < ARRAY_SIZE(s->pwm.file); i ++)
         qemu_put_be16s(f, &s->pwm.file[i]);
+    /* Padding for compatibility with older records. */
+    for ( ; i < sizeof(s->pwm.file); i++)
+        qemu_put_be16s(f, 0);
     qemu_put_8s(f, &s->pwm.faddr);
     qemu_put_buffer(f, s->pwm.addr, sizeof(s->pwm.addr));
     qemu_put_timer(f, s->pwm.tm[0]);
@@ -451,6 +454,7 @@ static void lm_kbd_save(QEMUFile *f, void *opaque)
 static int lm_kbd_load(QEMUFile *f, void *opaque, int version_id)
 {
     struct lm_kbd_s *s = (struct lm_kbd_s *) opaque;
+    uint16_t pad;
     int i;
 
     i2c_slave_load(f, &s->i2c);
@@ -475,8 +479,11 @@ static int lm_kbd_load(QEMUFile *f, void *opaque, int version_id)
     s->kbd.len = qemu_get_byte(f);
     qemu_get_buffer(f, s->kbd.fifo, sizeof(s->kbd.fifo));
 
-    for (i = 0; i < sizeof(s->pwm.file); i ++)
+    for (i = 0; i < ARRAY_SIZE(s->pwm.file); i ++)
         qemu_get_be16s(f, &s->pwm.file[i]);
+    /* Skip padding. */
+    for ( ; i < sizeof(s->pwm.file); i++)
+        qemu_get_be16(f);
     qemu_get_8s(f, &s->pwm.faddr);
     qemu_get_buffer(f, s->pwm.addr, sizeof(s->pwm.addr));
     qemu_get_timer(f, s->pwm.tm[0]);