mirror of https://github.com/xemu-project/xemu.git
98e77e3dd8
When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb(), we do not check whether the iov can actually fit the data buffer. This is because we use the buffer->size field as a total-so-far accumulator instead of byte-size-left like in TX buffers. This triggers an out of bounds write if the size of the virtio queue element is equal to virtio_snd_pcm_status, which makes the available space for audio data zero. This commit adds a check for reaching the maximum buffer size before attempting any writes. Reported-by: Zheyu Ma <zheyuma97@gmail.com> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2427 Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Message-Id: <virtio-snd-fuzz-2427-fix-v1-manos.pitsidianakis@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| ac97.c | ||
| ac97.h | ||
| adlib.c | ||
| asc.c | ||
| cs4231.c | ||
| cs4231a.c | ||
| es1370.c | ||
| fmopl.c | ||
| fmopl.h | ||
| gus.c | ||
| gusemu.h | ||
| gusemu_hal.c | ||
| gusemu_mixer.c | ||
| gustate.h | ||
| hda-codec-common.h | ||
| hda-codec.c | ||
| intel-hda-defs.h | ||
| intel-hda.c | ||
| intel-hda.h | ||
| lm4549.c | ||
| lm4549.h | ||
| marvell_88w8618.c | ||
| meson.build | ||
| pcspk.c | ||
| pl041.c | ||
| pl041.h | ||
| pl041.hx | ||
| sb16.c | ||
| soundhw.c | ||
| trace-events | ||
| trace.h | ||
| via-ac97.c | ||
| virtio-snd-pci.c | ||
| virtio-snd.c | ||
| wm8750.c | ||