From b3bc154098f211db7014de151c79b4234ae5029b Mon Sep 17 00:00:00 2001
From: blueswir1 <blueswir1@c046a42c-6fe2-441c-8c8c-71466251a162>
Date: Thu, 1 May 2008 19:03:31 +0000
Subject: [PATCH] =?UTF-8?q?FDC:=20Fix=20buffer=20overflow=20(Herv=C3=A9=20?=
 =?UTF-8?q?Poussineau)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In floppy controller, programming PIO writes which are more than one sector
long leads to a buffer overflow of the fdtrl->fifo[] array.


git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4293 c046a42c-6fe2-441c-8c8c-71466251a162
---
 hw/fdc.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/hw/fdc.c b/hw/fdc.c
index e9ca50dba5..e47a1da902 100644
--- a/hw/fdc.c
+++ b/hw/fdc.c
@@ -1770,8 +1770,10 @@ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
     /* Is it write command time ? */
     if (fdctrl->msr & FD_MSR_NONDMA) {
         /* FIFO data write */
-        fdctrl->fifo[fdctrl->data_pos++] = value;
-        if (fdctrl->data_pos % FD_SECTOR_LEN == (FD_SECTOR_LEN - 1) ||
+        pos = fdctrl->data_pos++;
+        pos %= FD_SECTOR_LEN;
+        fdctrl->fifo[pos] = value;
+        if (pos == FD_SECTOR_LEN - 1 ||
             fdctrl->data_pos == fdctrl->data_len) {
             cur_drv = get_cur_drv(fdctrl);
             if (bdrv_write(cur_drv->bs, fd_sector(cur_drv), fdctrl->fifo, 1) < 0) {