On 01/12/20 16:23, Philippe Mathieu-Daudé wrote:
Hi Prasad,
On 12/1/20 4:00 PM, P J P wrote:
* I was thinking about checking 'elementary_transfer_size' against
'byte_count_limit', but that did not work out. The loop is confusing there,
it first sets elementary_size = size and subtracts the same
If the code is confusing, you can rewrite in a less confuse way :)
That way the problem are easier to notice.
* I tested the patch with a reproducer and it helped to fix the crash.
[thread hijack]
About reproducer, Michael asked about CVE-2020-24352 (ati_vga OOB in
ati_2d_blt) this morning. What happens to reproducers when a CVE is
assigned, but the bug is marked as "out of the QEMU security boundary"?
Is it possible to release the reproducer to the community, so we can
work on a fix and test it?
Ideally it should be, in the shape of a qtest. :)
Paolo
