On 4/7/21 9:57 PM, Mark Cave-Ayland wrote: > The const pointer returned by fifo8_pop_buf() lies directly within the array > used > to model the FIFO. Building with address sanitizers enabled shows that if the > caller expects a minimum number of bytes present then if the FIFO is nearly > full, > the caller may unexpectedly access past the end of the array. > > Introduce esp_fifo_pop_buf() which takes a destination buffer and performs a > memcpy() in it to guarantee that the caller cannot overwrite the FIFO array > and > update all callers to use it. Similarly add underflow protection similar to > esp_fifo_push() and esp_fifo_pop() so that instead of triggering an assert() > the operation becomes a no-op. > > Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 > Signed-off-by: Mark Cave-Ayland <mark.cave-ayl...@ilande.co.uk> > Tested-by: Alexander Bulekov <alx...@bu.edu> > --- > hw/scsi/esp.c | 40 ++++++++++++++++++++++++++++------------ > 1 file changed, 28 insertions(+), 12 deletions(-)
Way cleaner/safer. Reviewed-by: Philippe Mathieu-Daudé <f4...@amsat.org>