On Fri, Oct 26, 2018 at 05:23:37PM +0530, P J P wrote:
> +-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+
> | Oh, thanks! I said I was dumb. :) So the fix is just this:
> |
> | diff --git a/hw/audio/fmopl.h b/hw/audio/fmopl.h
> | index e7e578a48e..7199afaa3c 100644
> | --- a/hw/audio/fmopl.h
>
+-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+
| Oh, thanks! I said I was dumb. :) So the fix is just this:
|
| diff --git a/hw/audio/fmopl.h b/hw/audio/fmopl.h
| index e7e578a48e..7199afaa3c 100644
| --- a/hw/audio/fmopl.h
| +++ b/hw/audio/fmopl.h
| @@ -72,8 +72,8 @@ typedef struct fm_opl_f
On 26/10/2018 11:34, P J P wrote:
> +-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+
> | I am dumb and I don't understand. In set_ar_dr you get
> |
> | v = 0xff
> | ar = 15
> | dr = 15
> |
> | and OPL->AR_TABLE[60] is accessed. The size of the array is 75, which
> | seems to be
+-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+
| I am dumb and I don't understand. In set_ar_dr you get
|
| v = 0xff
| ar = 15
| dr = 15
|
| and OPL->AR_TABLE[60] is accessed. The size of the array is 75, which
| seems to be actually 14 more than required. Likewise
On 25/10/2018 10:52, Gerd Hoffmann wrote:
> We have a lovely, guest-triggerable buffer overflow in opl2 emulation.
>
> Reproducer:
> outw(0xff60, 0x220);
> outw(0x1020, 0x220);
> outw(0xffb0, 0x220);
> Result:
> Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])
I am dumb
On 2018-10-25 09:52, Gerd Hoffmann wrote:
> We have a lovely, guest-triggerable buffer overflow in opl2 emulation.
>
> Reproducer:
> outw(0xff60, 0x220);
> outw(0x1020, 0x220);
> outw(0xffb0, 0x220);
> Result:
> Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])
>
> The
On 25/10/18 10:52, Gerd Hoffmann wrote:
We have a lovely, guest-triggerable buffer overflow in opl2 emulation.
Reproducer:
outw(0xff60, 0x220);
outw(0x1020, 0x220);
outw(0xffb0, 0x220);
Result:
Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])
The specs google
+-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+
| We have a lovely, guest-triggerable buffer overflow in opl2 emulation.
|
| Reproducer:
| outw(0xff60, 0x220);
| outw(0x1020, 0x220);
| outw(0xffb0, 0x220);
| Result:
| Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])
+
We have a lovely, guest-triggerable buffer overflow in opl2 emulation.
Reproducer:
outw(0xff60, 0x220);
outw(0x1020, 0x220);
outw(0xffb0, 0x220);
Result:
Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])
The specs google finds
