Security fix from Tavis Ormandy

Perform null check before calling r->transfer_handler. Change-Id: Ide3cd7edc7bde12a0635572bfa72f3a6dd05a926
author: rich cannings <richc@google.com> 2011-01-25 13:58:21 -0800
committer: rich cannings <richc@google.com> 2011-01-25 13:58:21 -0800
commit: 2091a098485fb6d386827aef3fb4732ae1cfac83 (patch)
tree: f424f4348ab43f0de65c8752beeffe42556ee58c /hw
parent: 2223b9aef3c87386f51d007fa3e03a6f2ac41e74 (diff)
download: external_qemu-2091a098485fb6d386827aef3fb4732ae1cfac83.zip
external_qemu-2091a098485fb6d386827aef3fb4732ae1cfac83.tar.gz
external_qemu-2091a098485fb6d386827aef3fb4732ae1cfac83.tar.bz2
1 files changed, 5 insertions, 3 deletions
diff --git a/hw/dma.c b/hw/dma.c
index c8ed6b0..ff1aa2e 100644
--- a/hw/dma.c
+++ b/hw/dma.c
@@ -345,9 +345,11 @@ static void channel_run (int ncont, int ichan)
 #endif
 
     r = dma_controllers[ncont].regs + ichan;
-    n = r->transfer_handler (r->opaque, ichan + (ncont << 2),
-                             r->now[COUNT], (r->base[COUNT] + 1) << ncont);
-    r->now[COUNT] = n;
+    if (r->transfer_handler) {
+        n = r->transfer_handler (r->opaque, ichan + (ncont << 2),
+                                 r->now[COUNT], (r->base[COUNT] + 1) << ncont);
+        r->now[COUNT] = n;
+    }
     ldebug ("dma_pos %d size %d\n", n, (r->base[COUNT] + 1) << ncont);
 }
author	rich cannings <richc@google.com>	2011-01-25 13:58:21 -0800
committer	rich cannings <richc@google.com>	2011-01-25 13:58:21 -0800
commit	2091a098485fb6d386827aef3fb4732ae1cfac83 (patch)
tree	f424f4348ab43f0de65c8752beeffe42556ee58c /hw
parent	2223b9aef3c87386f51d007fa3e03a6f2ac41e74 (diff)
download	external_qemu-2091a098485fb6d386827aef3fb4732ae1cfac83.zip external_qemu-2091a098485fb6d386827aef3fb4732ae1cfac83.tar.gz external_qemu-2091a098485fb6d386827aef3fb4732ae1cfac83.tar.bz2