exec: Fix bounce buffer allocation in address_space_map()

This fixes a regression introduced by commit e3127ae0c, which kept the allocation size of the bounce buffer limited to one page in order to avoid unbounded allocations (as explained in the commit message of 6d16c2f88), but broke the reporting of the shortened bounce buffer to the caller. The caller therefore assumes that the full requested size was provided and causes memory corruption when writing beyond the end of the actually allocated buffer. Signed-off-by: Kevin Wolf <kwolf@redhat.com>
author: Kevin Wolf <kwolf@redhat.com> 2013-07-22 14:30:23 +0200
committer: Kevin Wolf <kwolf@redhat.com> 2013-10-28 17:34:42 +0100
commit: e85d9db5f6f86299688a0acd2796ac1ccc96610c (patch)
tree: 99fb4856c690f009d589581d4dcd1dd31a0edfe5
parent: ba2ab2f2ca4150a7e314fbb19fa158bd8ddc36eb (diff)
download: qemu-e85d9db5f6f86299688a0acd2796ac1ccc96610c.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/exec.c b/exec.c
index 2e31ffcb2c1..b453713bdbd 100644
--- a/exec.c
+++ b/exec.c
@@ -2099,7 +2099,9 @@ void *address_space_map(AddressSpace *as,
         if (bounce.buffer) {
             return NULL;
         }
-        bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, TARGET_PAGE_SIZE);
+        /* Avoid unbounded allocations */
+        l = MIN(l, TARGET_PAGE_SIZE);
+        bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, l);
         bounce.addr = addr;
         bounce.len = l;
author	Kevin Wolf <kwolf@redhat.com>	2013-07-22 14:30:23 +0200
committer	Kevin Wolf <kwolf@redhat.com>	2013-10-28 17:34:42 +0100
commit	e85d9db5f6f86299688a0acd2796ac1ccc96610c (patch)
tree	99fb4856c690f009d589581d4dcd1dd31a0edfe5
parent	ba2ab2f2ca4150a7e314fbb19fa158bd8ddc36eb (diff)
download	qemu-e85d9db5f6f86299688a0acd2796ac1ccc96610c.tar.gz