FDC: Fix buffer overflow (Hervé Poussineau) In floppy controller, programming PIO writes which are more than one sector long leads to a buffer overflow of the fdtrl->fifo[] array. git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4293 c046a42c-6fe2-441c-8c8c-71466251a162

commit: b3bc154098f211db7014de151c79b4234ae5029b [log] [tgz]
author: blueswir1 <blueswir1@c046a42c-6fe2-441c-8c8c-71466251a162> Thu May 01 19:03:31 2008 +0000
committer: blueswir1 <blueswir1@c046a42c-6fe2-441c-8c8c-71466251a162> Thu May 01 19:03:31 2008 +0000
tree: 8e8bdd31bb07a026fab96366e1b01f610bd1a027
parent: 6ef05b95462b46a1a885f390b55eaf632f52ec70 [diff] [blame]
diff --git a/hw/fdc.c b/hw/fdc.c
index e9ca50d..e47a1da 100644
--- a/hw/fdc.c
+++ b/hw/fdc.c

@@ -1770,8 +1770,10 @@
     /* Is it write command time ? */
     if (fdctrl->msr & FD_MSR_NONDMA) {
         /* FIFO data write */
-        fdctrl->fifo[fdctrl->data_pos++] = value;
-        if (fdctrl->data_pos % FD_SECTOR_LEN == (FD_SECTOR_LEN - 1) ||
+        pos = fdctrl->data_pos++;
+        pos %= FD_SECTOR_LEN;
+        fdctrl->fifo[pos] = value;
+        if (pos == FD_SECTOR_LEN - 1 ||
             fdctrl->data_pos == fdctrl->data_len) {
             cur_drv = get_cur_drv(fdctrl);
             if (bdrv_write(cur_drv->bs, fd_sector(cur_drv), fdctrl->fifo, 1) < 0) {
commit	b3bc154098f211db7014de151c79b4234ae5029b	[log] [tgz]
author	blueswir1 <blueswir1@c046a42c-6fe2-441c-8c8c-71466251a162>	Thu May 01 19:03:31 2008 +0000
committer	blueswir1 <blueswir1@c046a42c-6fe2-441c-8c8c-71466251a162>	Thu May 01 19:03:31 2008 +0000
tree	8e8bdd31bb07a026fab96366e1b01f610bd1a027
parent	6ef05b95462b46a1a885f390b55eaf632f52ec70 [diff] [blame]