Index: qemu-0.8.2/hw/dma.c =================================================================== --- qemu-0.8.2.orig/hw/dma.c 2006-07-22 20:23:34.000000000 +0300 +++ qemu-0.8.2/hw/dma.c 2007-04-20 06:05:59.000000000 +0300 @@ -340,9 +340,11 @@ static void channel_run (int ncont, int #endif r = dma_controllers[ncont].regs + ichan; - n = r->transfer_handler (r->opaque, ichan + (ncont << 2), - r->now[COUNT], (r->base[COUNT] + 1) << ncont); - r->now[COUNT] = n; + if (r->transfer_handler) { + n = r->transfer_handler (r->opaque, ichan + (ncont << 2), + r->now[COUNT], (r->base[COUNT] + 1) << ncont); + r->now[COUNT] = n; + } ldebug ("dma_pos %d size %d\n", n, (r->base[COUNT] + 1) << ncont); } Index: qemu/hw/fdc.c @@ -1322,7 +1322,8 @@ fd_sector(cur_drv)); return 0; } - if (bdrv_read(cur_drv->bs, fd_sector(cur_drv), fdctrl->fifo, 1) < 0) { + if (cur_drv->bs == NULL || + bdrv_read(cur_drv->bs, fd_sector(cur_drv), fdctrl->fifo, 1) < 0) { FLOPPY_DPRINTF("error getting sector %d\n", fd_sector(cur_drv)); /* Sure, image size is too small... */ @@ -1776,7 +1777,8 @@ if (pos == FD_SECTOR_LEN - 1 || fdctrl->data_pos == fdctrl->data_len) { cur_drv = get_cur_drv(fdctrl); - if (bdrv_write(cur_drv->bs, fd_sector(cur_drv), fdctrl->fifo, 1) < 0) { + if (cur_drv->bs == NULL || + bdrv_write(cur_drv->bs, fd_sector(cur_drv), fdctrl->fifo, 1) < 0) { FLOPPY_ERROR("writing sector %d\n", fd_sector(cur_drv)); return; } Index: qemu-0.8.2/hw/pc.c =================================================================== --- qemu-0.8.2.orig/hw/pc.c 2007-04-20 06:05:58.000000000 +0300 +++ qemu-0.8.2/hw/pc.c 2007-04-20 06:05:59.000000000 +0300 @@ -312,7 +312,8 @@ void bochs_bios_write(void *opaque, uint case 0x400: case 0x401: fprintf(stderr, "BIOS panic at rombios.c, line %d\n", val); - exit(1); + /* according to documentation, these can be safely ignored */ + break; case 0x402: case 0x403: #ifdef DEBUG_BIOS @@ -335,8 +336,9 @@ void bochs_bios_write(void *opaque, uint /* LGPL'ed VGA BIOS messages */ case 0x501: case 0x502: + /* according to documentation, these can be safely ignored */ fprintf(stderr, "VGA BIOS panic, line %d\n", val); - exit(1); + break; case 0x500: case 0x503: #ifdef DEBUG_BIOS Index: qemu-0.8.2/hw/sb16.c =================================================================== --- qemu-0.8.2.orig/hw/sb16.c 2006-07-22 20:23:34.000000000 +0300 +++ qemu-0.8.2/hw/sb16.c 2007-04-20 06:05:59.000000000 +0300 @@ -1235,8 +1235,10 @@ static int SB_read_DMA (void *opaque, in s->block_size); #endif - while (s->left_till_irq <= 0) { - s->left_till_irq = s->block_size + s->left_till_irq; + if (s->block_size) { + while (s->left_till_irq <= 0) { + s->left_till_irq = s->block_size + s->left_till_irq; + } } return dma_pos; Index: qemu-0.8.2/slirp/slirp.c =================================================================== --- qemu-0.8.2.orig/slirp/slirp.c 2006-07-22 20:23:34.000000000 +0300 +++ qemu-0.8.2/slirp/slirp.c 2007-04-20 06:05:59.000000000 +0300 @@ -611,6 +611,10 @@ void slirp_input(const uint8_t *pkt, int if (!m) return; /* Note: we add to align the IP header */ + /* taviso: large values in ne2k TCNT register may exceed msize on transmit */ + if (M_FREEROOM(m) < pkt_len + 2) { + m_inc(m, pkt_len + 2); + } m->m_len = pkt_len + 2; memcpy(m->m_data + 2, pkt, pkt_len); Index: qemu-0.8.2/target-i386/translate.c =================================================================== --- qemu-0.8.2.orig/target-i386/translate.c 2006-07-22 20:23:34.000000000 +0300 +++ qemu-0.8.2/target-i386/translate.c 2007-04-20 06:05:59.000000000 +0300 @@ -5292,6 +5297,7 @@ static target_ulong disas_insn(DisasCont gen_jmp_im(pc_start - s->cs_base); gen_op_into(s->pc - pc_start); break; +#ifdef WANT_ICEBP case 0xf1: /* icebp (undocumented, exits to external debugger) */ #if 1 gen_debug(s, pc_start - s->cs_base); @@ -5301,6 +5307,7 @@ static target_ulong disas_insn(DisasCont cpu_set_log(CPU_LOG_INT | CPU_LOG_TB_IN_ASM); #endif break; +#endif /* icebp */ case 0xfa: /* cli */ if (!s->vm86) { if (s->cpl <= s->iopl) { Index: qemu-0.8.2/vl.c =================================================================== --- qemu-0.8.2.orig/vl.c 2007-04-20 06:05:59.000000000 +0300 +++ qemu-0.8.2/vl.c 2007-04-20 06:05:59.000000000 +0300 @@ -3139,8 +3139,8 @@ typedef struct NetSocketState { VLANClientState *vc; int fd; int state; /* 0 = getting length, 1 = getting data */ - int index; - int packet_len; + unsigned int index; + unsigned int packet_len; uint8_t buf[4096]; struct sockaddr_in dgram_dst; /* contains inet host and port destination iff connectionless (SOCK_DGRAM) */ } NetSocketState; @@ -3171,7 +3171,8 @@ static void net_socket_receive_dgram(voi static void net_socket_send(void *opaque) { NetSocketState *s = opaque; - int l, size, err; + int size, err; + unsigned l; uint8_t buf1[4096]; const uint8_t *buf; @@ -3210,7 +3211,15 @@ static void net_socket_send(void *opaque l = s->packet_len - s->index; if (l > size) l = size; - memcpy(s->buf + s->index, buf, l); + if (s->index + l <= sizeof(s->buf)) { + memcpy(s->buf + s->index, buf, l); + } else { + fprintf(stderr, "serious error: oversized packet received," + "connection terminated.\n"); + s->state = 0; + goto eoc; + } + s->index += l; buf += l; size -= l; Index: qemu/block.c @@ -539,8 +539,15 @@ return -ENOMEDIUM; if (bs->read_only) return -EACCES; + if (sector_num < 0) + return -EACCES; if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { memcpy(bs->boot_sector_data, buf, 512); + } + { + unsigned int ns = sector_num * 512; + if (ns < 0) + return -EACCES; } if (drv->bdrv_pwrite) { int ret, len; Index: qemu/hw/i8259.c @@ -302,7 +302,8 @@ s->init4 = val & 1; s->single_mode = val & 2; if (val & 0x08) - hw_error("level sensitive irq not supported"); + /* hw_error("level sensitive irq not supported"); */ + return; } else if (val & 0x08) { if (val & 0x04) s->poll = 1;