+-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+ | I am dumb and I don't understand. In set_ar_dr you get | | v = 0xff | ar = 15 | dr = 15 | | and OPL->AR_TABLE[60] is accessed. The size of the array is 75, which | seems to be actually 14 more than required. Likewise OPL->DR_TABLE[60] | is accessed. | | The next accesses use SLOT->ksr which is 0 so it's fine too. In set_ar_dr SLOT->AR = ar ? &OPL->AR_TABLE[ar<<2] : RATE_0; SLOT->AR is set to point to OPL->DR_TABLE[60] and while so if s->ksr is set to 15, in CALC_FCSLOT() SLOT->evsa = SLOT->AR[ksr]; <= accesses OPL->AR_TABLE[60 + 15]; Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
