FDC: Fix buffer overflow (Hervé Poussineau)

In floppy controller, programming PIO writes which are more than one sector long leads to a buffer overflow of the fdtrl->fifo[] array. git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4293 c046a42c-6fe2-441c-8c8c-71466251a162

FDC: Fix buffer overflow (Hervé Poussineau)
In floppy controller, programming PIO writes which are more than one sector long leads to a buffer overflow of the fdtrl->fifo[] array. git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4293 c046a42c-6fe2-441c-8c8c-71466251a162
blueswir1
1 parent 6ef05b95
Showing 1 changed file with 4 additions and 2 deletions
hw/fdc.c
@@ -1770,8 +1770,10 @@ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
     /* Is it write command time ? */
     if (fdctrl->msr & FD_MSR_NONDMA) {
         /* FIFO data write */
-        fdctrl->fifo[fdctrl->data_pos++] = value;
-        if (fdctrl->data_pos % FD_SECTOR_LEN == (FD_SECTOR_LEN - 1) ||
+        pos = fdctrl->data_pos++;
+        pos %= FD_SECTOR_LEN;
+        fdctrl->fifo[pos] = value;
+        if (pos == FD_SECTOR_LEN - 1 ||
             fdctrl->data_pos == fdctrl->data_len) {
             cur_drv = get_cur_drv(fdctrl);
             if (bdrv_write(cur_drv->bs, fd_sector(cur_drv), fdctrl->fifo, 1) < 0) {