Opened 20 months ago
#21474 new defect
Global buffer overflow in hdaMmioWrite()
| Reported by: | cyruscyliu | Owned by: | |
|---|---|---|---|
| Component: | audio | Version: | VirtualBox-7.0.6 |
| Keywords: | Cc: | ||
| Guest type: | Linux | Host type: | Linux |
Description
When issuing mmio_writeb(0x2146, 0xc2), cbBefore[1] can be too large for g_afMasks[2], which only has five elements.
static DECLCALLBACK(VBOXSTRICTRC) hdaMmioWrite(PPDMDEVINS pDevIns, void *pvUser, RTGCPHYS off, void const *pv, unsigned cb) {
// ...
idxRegDsc = hdaR3RegLookupWithin(off);
if (idxRegDsc != -1)
{
uint32_t const cbBefore = (uint32_t)off - g_aHdaRegMap[idxRegDsc].off; // [1]
Assert(cbBefore > 0 && cbBefore < 4);
off -= cbBefore;
idxRegMem = g_aHdaRegMap[idxRegDsc].idxReg;
u64Value <<= cbBefore * 8;
u64Value |= pThis->au32Regs[idxRegMem] & g_afMasks[cbBefore]; // ------> [2]
Attachments (3)
Note:
See TracTickets
for help on using tickets.


backtrace