﻿id,summary,reporter,owner,description,type,status,component,version,resolution,keywords,cc,guest,host
21474,Global buffer overflow in hdaMmioWrite(),cyruscyliu,,"When issuing mmio_writeb(0x2146, 0xc2), cbBefore[1] can be too large for g_afMasks[2], which only has five elements.

{{{
static DECLCALLBACK(VBOXSTRICTRC) hdaMmioWrite(PPDMDEVINS pDevIns, void *pvUser, RTGCPHYS off, void const *pv, unsigned cb) {
    // ...
    idxRegDsc = hdaR3RegLookupWithin(off);
    if (idxRegDsc != -1)
    {
        uint32_t const cbBefore = (uint32_t)off - g_aHdaRegMap[idxRegDsc].off; // [1]
        Assert(cbBefore > 0 && cbBefore < 4);
        off      -= cbBefore;
        idxRegMem = g_aHdaRegMap[idxRegDsc].idxReg;
        u64Value <<= cbBefore * 8;
        u64Value  |= pThis->au32Regs[idxRegMem] & g_afMasks[cbBefore]; // ------> [2]
}}}",defect,new,audio,VirtualBox-7.0.6,,,,Linux,Linux
