From: Philip K. <ph...@sh...> - 2008-03-26 22:03:50
|
John, I've been tracking down a segfault in Fuse which looks very much like it's a buffer overflow in lib765. This can be reproduced by playing the North and South RZX from the RZX Archive on Fuse 0.9.0. What happens, as far as I can tell: * The first call to fdc_write_data after startup (from a snapshot, which has lost the FDC state; this may be some of the problem) is with a value of 0x08. This sets self->fdc_cmd_id to 0x08 and self->fdc_cmd_len to 0, and then executes the sense interrupt command, which doesn't reset either of these. * Subsequent calls to fdc_write_data happily add bytes to self->fdc_cmd_buf, decrementing self->fdc_cmd_len (initially to -1) and then the test at line 860 never succeeds. This leads to the buffer overflow after 20 or so writes (and the crash a bit later). For what it's worth, Fuse's development version has moved away from using lib765/libdsk in order to support copy-protected disks, so please don't regard this as a high priority feature request :-) Cheers, Phil -- Philip Kendall <ph...@sh...> http://www.shadowmagic.org.uk/ |