Re: [libvirt] [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated.
On 25/10/2018 10:52, Gerd Hoffmann wrote:
We have a lovely, guest-triggerable buffer overflow in opl2
emulation.
Reproducer:
outw(0xff60, 0x220);
outw(0x1020, 0x220);
outw(0xffb0, 0x220);
Result:
Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])
I am dumb and I don't understand. In set_ar_dr you get
v = 0xff
ar = 15
dr = 15
and OPL->AR_TABLE[60] is accessed. The size of the array is 75, which
seems to be actually 14 more than required. Likewise OPL->DR_TABLE[60]
is accessed.
The next accesses use SLOT->ksr which is 0 so it's fine too.
Paolo