Changeset 35062 in vbox for trunk/src/VBox/Devices

Timestamp:

Dec 14, 2010 11:05:57 AM (14 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

68893

Message:

VSCSI: Fix read beyond end of S/G array

File:

• trunk/src/VBox/Devices/Storage/VSCSI/VSCSISgBuf.cpp (modified) (1 diff)

trunk/src/VBox/Devices/Storage/VSCSI/VSCSISgBuf.cpp

@@ -49 +49 @@
     uint8_t *pbBuf = pIoMemCtx->pbBuf;
 
-    pIoMemCtx->cbBufLeft -= cbData;
+    if (   pbBuf
+        && cbData)
+    {
+        pIoMemCtx->cbBufLeft -= cbData;
 
-    /* Advance to the next segment if required. */
-    if (!pIoMemCtx->cbBufLeft)
-    {
-        pIoMemCtx->iSegIdx++;
+        /* Advance to the next segment if required. */
+        if (!pIoMemCtx->cbBufLeft)
+        {
+            pIoMemCtx->iSegIdx++;
 
-        if (RT_UNLIKELY(pIoMemCtx->iSegIdx == pIoMemCtx->cSegments))
-        {
-            pIoMemCtx->cbBufLeft = 0;
-            pIoMemCtx->pbBuf     = NULL;
+            if (RT_UNLIKELY(pIoMemCtx->iSegIdx == pIoMemCtx->cSegments))
+            {
+                pIoMemCtx->cbBufLeft = 0;
+                pIoMemCtx->pbBuf     = NULL;
+            }
+            else
+            {
+                pIoMemCtx->pbBuf     = (uint8_t *)pIoMemCtx->paDataSeg[pIoMemCtx->iSegIdx].pvSeg;
+                pIoMemCtx->cbBufLeft = pIoMemCtx->paDataSeg[pIoMemCtx->iSegIdx].cbSeg;
+            }
         }
         else
-        {
-            pIoMemCtx->pbBuf     = (uint8_t *)pIoMemCtx->paDataSeg[pIoMemCtx->iSegIdx].pvSeg;
-            pIoMemCtx->cbBufLeft = pIoMemCtx->paDataSeg[pIoMemCtx->iSegIdx].cbSeg;
-        }
+            pIoMemCtx->pbBuf += cbData;
+    }
 
-        *pcbData = cbData;
-    }
-    else
-        pIoMemCtx->pbBuf += cbData;
+    *pcbData = cbData;
 
     return pbBuf;