macio: fix overflow in lba to offset conversion for ATAPI devices

As the IDEState lba field is an int32_t, make sure we cast to int64_t before shifting to calculate the offset. Otherwise we end up with an overflow when trying to access sectors beyond 2GB as can occur when using DVD images. [Maintainer edit: fixed extraneous parentheses. --js] Signed-off-by: N Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: N John Snow <jsnow@redhat.com> Message-id: 1451928613-29476-1-git-send-email-mark.cave-ayland@ilande.co.uk Signed-off-by: N John Snow <jsnow@redhat.com>

macio: fix overflow in lba to offset conversion for ATAPI devices
As the IDEState lba field is an int32_t, make sure we cast to int64_t before shifting to calculate the offset. Otherwise we end up with an overflow when trying to access sectors beyond 2GB as can occur when using DVD images. [Maintainer edit: fixed extraneous parentheses. --js] Signed-off-by: N Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: N John Snow <jsnow@redhat.com> Message-id: 1451928613-29476-1-git-send-email-mark.cave-ayland@ilande.co.uk Signed-off-by: N John Snow <jsnow@redhat.com>
97225170 · Mark Cave-Ayland · John Snow · 7b8a354d · 97225170
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

hw/ide/macio.c hw/ide/macio.c +1 -1

未找到文件。
--- a/hw/ide/macio.c
+++ b/hw/ide/macio.c
@@ -280,7 +280,7 @@ static void pmac_ide_atapi_transfer_cb(void *opaque, int ret)
    }

    /* Calculate current offset */
-    offset = (int64_t)(s->lba << 11) + s->io_buffer_index;
+    offset = ((int64_t)s->lba << 11) + s->io_buffer_index;

    pmac_dma_read(s->blk, offset, io->len, pmac_ide_atapi_transfer_cb, io);
    return;