1 files changed, 44 insertions, 0 deletions

diff --git a/emulators/qemu/files/patch-CVE-2015-3456 b/emulators/qemu/files/patch-CVE-2015-3456
new file mode 100644
index 000000000000..3ea061ea2056
--- /dev/null
+++ b/emulators/qemu/files/patch-CVE-2015-3456
@@ -0,0 +1,44 @@
+--- a/hw/fdc.c
++++ b/hw/fdc.c
+@@ -1324,7 +1324,7 @@ static uint32_t fdctrl_read_data (fdctrl
+ {
+     fdrive_t *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1333,8 +1333,8 @@ static uint32_t fdctrl_read_data (fdctrl
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1680,8 +1680,11 @@ static void fdctrl_handle_option (fdctrl
+ static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction)
+ {
+     fdrive_t *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
++
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
+-
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+         if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+@@ -1778,7 +1782,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
+ {
+     fdrive_t *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {