Hi Prasad, On 12/1/20 4:00 PM, P J P wrote: > * I was thinking about checking 'elementary_transfer_size' against > 'byte_count_limit', but that did not work out. The loop is confusing there, > it first sets elementary_size = size and subtracts the same
If the code is confusing, you can rewrite in a less confuse way :) That way the problem are easier to notice. > * I tested the patch with a reproducer and it helped to fix the crash. [thread hijack] About reproducer, Michael asked about CVE-2020-24352 (ati_vga OOB in ati_2d_blt) this morning. What happens to reproducers when a CVE is assigned, but the bug is marked as "out of the QEMU security boundary"? Is it possible to release the reproducer to the community, so we can work on a fix and test it? Thanks, Phil.