hpet: Catch out-of-bounds timer access

Also prevent out-of-bounds write access to the timers but don't spam the host console if it triggers. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
author: Jan Kiszka <jan.kiszka@siemens.com> 2010-06-13 14:15:34 +0200
committer: Blue Swirl <blauwirbel@gmail.com> 2010-06-13 15:32:58 +0300
commit: 6982d6647ea98544f76d5ef40ddc23115ff44a77 (patch)
tree: 7b70ab8af8e42befe299dac1363a4daedb4e89c2
parent: c3d96978d0faaa8e54003b45619ec0768147d168 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/hw/hpet.c b/hw/hpet.c
index 8729fb21c..198090643 100644
--- a/hw/hpet.c
+++ b/hw/hpet.c
@@ -294,7 +294,7 @@ static uint32_t hpet_ram_readl(void *opaque, target_phys_addr_t addr)
     if (index >= 0x100 && index <= 0x3ff) {
         uint8_t timer_id = (addr - 0x100) / 0x20;
         if (timer_id > HPET_NUM_TIMERS - 1) {
-            printf("qemu: timer id out of range\n");
+            DPRINTF("qemu: timer id out of range\n");
             return 0;
         }
         HPETTimer *timer = &s->timer[timer_id];
@@ -383,6 +383,10 @@ static void hpet_ram_writel(void *opaque, target_phys_addr_t addr,
         DPRINTF("qemu: hpet_ram_writel timer_id = %#x \n", timer_id);
         HPETTimer *timer = &s->timer[timer_id];
 
+        if (timer_id > HPET_NUM_TIMERS - 1) {
+            DPRINTF("qemu: timer id out of range\n");
+            return;
+        }
         switch ((addr - 0x100) % 0x20) {
             case HPET_TN_CFG:
                 DPRINTF("qemu: hpet_ram_writel HPET_TN_CFG\n");
author	Jan Kiszka <jan.kiszka@siemens.com>	2010-06-13 14:15:34 +0200
committer	Blue Swirl <blauwirbel@gmail.com>	2010-06-13 15:32:58 +0300
commit	6982d6647ea98544f76d5ef40ddc23115ff44a77 (patch)
tree	7b70ab8af8e42befe299dac1363a4daedb4e89c2
parent	c3d96978d0faaa8e54003b45619ec0768147d168 (diff)