FDC: Fix buffer overflow (Hervé Poussineau)

In floppy controller, programming PIO writes which are more than one sector long leads to a buffer overflow of the fdtrl->fifo[] array. git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4293 c046a42c-6fe2-441c-8c8c-71466251a162
author: blueswir1 <blueswir1@c046a42c-6fe2-441c-8c8c-71466251a162> 2008-05-01 19:03:31 +0000
committer: blueswir1 <blueswir1@c046a42c-6fe2-441c-8c8c-71466251a162> 2008-05-01 19:03:31 +0000
commit: b3bc154098f211db7014de151c79b4234ae5029b (patch)
tree: 8e8bdd31bb07a026fab96366e1b01f610bd1a027 /hw/fdc.c
parent: 6ef05b95462b46a1a885f390b55eaf632f52ec70 (diff)
download: focaccia-qemu-b3bc154098f211db7014de151c79b4234ae5029b.tar.gz
focaccia-qemu-b3bc154098f211db7014de151c79b4234ae5029b.zip
1 files changed, 4 insertions, 2 deletions
diff --git a/hw/fdc.c b/hw/fdc.c
index e9ca50dba5..e47a1da902 100644
--- a/hw/fdc.c
+++ b/hw/fdc.c
@@ -1770,8 +1770,10 @@ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
     /* Is it write command time ? */
     if (fdctrl->msr & FD_MSR_NONDMA) {
         /* FIFO data write */
-        fdctrl->fifo[fdctrl->data_pos++] = value;
-        if (fdctrl->data_pos % FD_SECTOR_LEN == (FD_SECTOR_LEN - 1) ||
+        pos = fdctrl->data_pos++;
+        pos %= FD_SECTOR_LEN;
+        fdctrl->fifo[pos] = value;
+        if (pos == FD_SECTOR_LEN - 1 ||
             fdctrl->data_pos == fdctrl->data_len) {
             cur_drv = get_cur_drv(fdctrl);
             if (bdrv_write(cur_drv->bs, fd_sector(cur_drv), fdctrl->fifo, 1) < 0) {
author	blueswir1 <blueswir1@c046a42c-6fe2-441c-8c8c-71466251a162>	2008-05-01 19:03:31 +0000
committer	blueswir1 <blueswir1@c046a42c-6fe2-441c-8c8c-71466251a162>	2008-05-01 19:03:31 +0000
commit	b3bc154098f211db7014de151c79b4234ae5029b (patch)
tree	8e8bdd31bb07a026fab96366e1b01f610bd1a027 /hw/fdc.c
parent	6ef05b95462b46a1a885f390b55eaf632f52ec70 (diff)
download	focaccia-qemu-b3bc154098f211db7014de151c79b4234ae5029b.tar.gz focaccia-qemu-b3bc154098f211db7014de151c79b4234ae5029b.zip