﻿id	summary	reporter	owner	description	type	status	component	version	resolution	keywords	cc	guest	host
21474	Global buffer overflow in hdaMmioWrite()	cyruscyliu		"When issuing mmio_writeb(0x2146, 0xc2), cbBefore[1] can be too large for g_afMasks[2], which only has five elements.

{{{
static DECLCALLBACK(VBOXSTRICTRC) hdaMmioWrite(PPDMDEVINS pDevIns, void *pvUser, RTGCPHYS off, void const *pv, unsigned cb) {
    // ...
    idxRegDsc = hdaR3RegLookupWithin(off);
    if (idxRegDsc != -1)
    {
        uint32_t const cbBefore = (uint32_t)off - g_aHdaRegMap[idxRegDsc].off; // [1]
        Assert(cbBefore > 0 && cbBefore < 4);
        off      -= cbBefore;
        idxRegMem = g_aHdaRegMap[idxRegDsc].idxReg;
        u64Value <<= cbBefore * 8;
        u64Value  |= pThis->au32Regs[idxRegMem] & g_afMasks[cbBefore]; // ------> [2]
}}}"	defect	new	audio	VirtualBox-7.0.6				Linux	Linux
