From: Andrew Cooper Date: Tue, 4 Nov 2014 11:46:46 +0000 (+0000) Subject: lm832x: don't overrun file buffer on save/restore X-Git-Tag: xen-4.6.1~33 X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=fb9ee2e1049f7ca8f597a00360745ead64fd974b;p=qemu-xen-unstable.git lm832x: don't overrun file buffer on save/restore Saving and restoring an lm832x record would overrun the pwm.file array since pwm.file is uint16_t elements and sizeof(pwm.file) twice as many elements. To ensure compatibility, padding bytes are added to the record. Signed-off-by: Andrew Cooper Coverity-IDs: 1055728 1055729 --- diff --git a/hw/lm832x.c b/hw/lm832x.c index dd94310f67..a2128663d7 100644 --- a/hw/lm832x.c +++ b/hw/lm832x.c @@ -439,8 +439,11 @@ static void lm_kbd_save(QEMUFile *f, void *opaque) qemu_put_byte(f, s->kbd.len); qemu_put_buffer(f, s->kbd.fifo, sizeof(s->kbd.fifo)); - for (i = 0; i < sizeof(s->pwm.file); i ++) + for (i = 0; i < ARRAY_SIZE(s->pwm.file); i ++) qemu_put_be16s(f, &s->pwm.file[i]); + /* Padding for compatibility with older records. */ + for ( ; i < sizeof(s->pwm.file); i++) + qemu_put_be16s(f, 0); qemu_put_8s(f, &s->pwm.faddr); qemu_put_buffer(f, s->pwm.addr, sizeof(s->pwm.addr)); qemu_put_timer(f, s->pwm.tm[0]); @@ -451,6 +454,7 @@ static void lm_kbd_save(QEMUFile *f, void *opaque) static int lm_kbd_load(QEMUFile *f, void *opaque, int version_id) { struct lm_kbd_s *s = (struct lm_kbd_s *) opaque; + uint16_t pad; int i; i2c_slave_load(f, &s->i2c); @@ -475,8 +479,11 @@ static int lm_kbd_load(QEMUFile *f, void *opaque, int version_id) s->kbd.len = qemu_get_byte(f); qemu_get_buffer(f, s->kbd.fifo, sizeof(s->kbd.fifo)); - for (i = 0; i < sizeof(s->pwm.file); i ++) + for (i = 0; i < ARRAY_SIZE(s->pwm.file); i ++) qemu_get_be16s(f, &s->pwm.file[i]); + /* Skip padding. */ + for ( ; i < sizeof(s->pwm.file); i++) + qemu_get_be16(f); qemu_get_8s(f, &s->pwm.faddr); qemu_get_buffer(f, s->pwm.addr, sizeof(s->pwm.addr)); qemu_get_timer(f, s->pwm.tm[0]);