On 18 June 2015 at 03:40, 罗大龙 wrote:
> /qemu-2.3.0/hw/arm/pxa2xx.c
>
> --- pxa2xx.c.new2015-06-15 17:40:59.285002592 +0800
> +++ pxa2xx.c2015-06-15 17:43:47.001002592 +0800
> @@ -1986,6 +1986,10 @@
>
> s->rx_len = qemu_get_byte(f);
> s->rx_start = 0;
> + if (s->rx_len < 0 || s-
/qemu-2.3.0/hw/arm/pxa2xx.c
--- pxa2xx.c.new2015-06-15 17:40:59.285002592 +0800
+++ pxa2xx.c2015-06-15 17:43:47.001002592 +0800
@@ -1986,6 +1986,10 @@
s->rx_len = qemu_get_byte(f);
s->rx_start = 0;
+ if (s->rx_len < 0 || s->rx_len > ARRAY_SIZE(s->rx_fifo)) {
+ return -EI
