[QEMU] fdc: Limit sector size to 16K

In fdctrl_start_transfer the sector size field (fifo[5]) is not
checked for overflows.  This allows an arbitrarily large sector size
to be used, which can in turn result in a negative data_len field that
is then used for DMA transfers.

This can lead to the corrpuption of qemu state because some subsequent
checks on the transfer length is conducted using signed integers.

This patch limits the value fifo[5] to 7 which is the standard limit
on floppy sector size.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/tools/ioemu/hw/fdc.c b/tools/ioemu/hw/fdc.c
index 3890ace120e231f4dae195b86bc585fc7bacb575..1d16cd6518cd7c45bacb9c3d0f16fc6f61681ee7 100644 (file)
--- a/tools/ioemu/hw/fdc.c
+++ b/tools/ioemu/hw/fdc.c
@@ -898,7 +898,7 @@ static void fdctrl_start_transfer (fdctrl_t *fdctrl, int direction)
         fdctrl->data_len = fdctrl->fifo[8];
     } else {
        int tmp;
-        fdctrl->data_len = 128 << fdctrl->fifo[5];
+        fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]);
         tmp = (cur_drv->last_sect - ks + 1);
         if (fdctrl->fifo[0] & 0x80)
             tmp += cur_drv->last_sect;