From 2091a098485fb6d386827aef3fb4732ae1cfac83 Mon Sep 17 00:00:00 2001
From: rich cannings <richc@google.com>
Date: Tue, 25 Jan 2011 13:58:21 -0800
Subject: Security fix from Tavis Ormandy

Perform null check before calling r->transfer_handler.

Change-Id: Ide3cd7edc7bde12a0635572bfa72f3a6dd05a926
---
 hw/dma.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'hw')

diff --git a/hw/dma.c b/hw/dma.c
index c8ed6b0..ff1aa2e 100644
--- a/hw/dma.c
+++ b/hw/dma.c
@@ -345,9 +345,11 @@ static void channel_run (int ncont, int ichan)
 #endif
 
     r = dma_controllers[ncont].regs + ichan;
-    n = r->transfer_handler (r->opaque, ichan + (ncont << 2),
-                             r->now[COUNT], (r->base[COUNT] + 1) << ncont);
-    r->now[COUNT] = n;
+    if (r->transfer_handler) {
+        n = r->transfer_handler (r->opaque, ichan + (ncont << 2),
+                                 r->now[COUNT], (r->base[COUNT] + 1) << ncont);
+        r->now[COUNT] = n;
+    }
     ldebug ("dma_pos %d size %d\n", n, (r->base[COUNT] + 1) << ncont);
 }
 
-- 
cgit v1.1