On 25/10/2018 10:52, Gerd Hoffmann wrote: > We have a lovely, guest-triggerable buffer overflow in opl2 emulation. > > Reproducer: > outw(0xff60, 0x220); > outw(0x1020, 0x220); > outw(0xffb0, 0x220); > Result: > Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch]) I am dumb and I don't understand. In set_ar_dr you get v = 0xff ar = 15 dr = 15 and OPL->AR_TABLE[60] is accessed. The size of the array is 75, which seems to be actually 14 more than required. Likewise OPL->DR_TABLE[60] is accessed. The next accesses use SLOT->ksr which is 0 so it's fine too. Paolo -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
