Fix PCI config space overflow, by Herbert Xu.

git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@2238 c046a42c-6fe2-441c-8c8c-71466251a162

1 files changed, 16 insertions, 8 deletions

diff --git a/hw/pci.c b/hw/pci.c
index bc7c779e59..d8fcd7be55 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -242,16 +242,23 @@ uint32_t pci_default_read_config(PCIDevice *d,
                                  uint32_t address, int len)
 {
     uint32_t val;
+
     switch(len) {
-    case 1:
-        val = d->config[address];
-        break;
-    case 2:
-        val = le16_to_cpu(*(uint16_t *)(d->config + address));
-        break;
     default:
     case 4:
-        val = le32_to_cpu(*(uint32_t *)(d->config + address));
+	if (address <= 0xfc) {
+	    val = le32_to_cpu(*(uint32_t *)(d->config + address));
+	    break;
+	}
+	/* fall through */
+    case 2:
+        if (address <= 0xfe) {
+	    val = le16_to_cpu(*(uint16_t *)(d->config + address));
+	    break;
+	}
+	/* fall through */
+    case 1:
+        val = d->config[address];
         break;
     }
     return val;
@@ -341,7 +348,8 @@ void pci_default_write_config(PCIDevice *d,
         if (can_write) {
             d->config[addr] = val;
         }
-        addr++;
+        if (++addr > 0xff)
+        	break;
         val >>= 8;
     }