freebsd-ports/emulators/qemu-devel/files/patch-90_security

Index: qemu/hw/dma.c
@@ -344,9 +344,11 @@ static void channel_run (int ncont, int 
     }
 #endif
 
-    n = r->transfer_handler (r->opaque, ichan + (ncont << 2),
-                             r->now[COUNT], (r->base[COUNT] + 1) << ncont);
-    r->now[COUNT] = n;
+    if (r->transfer_handler) {
+        n = r->transfer_handler (r->opaque, ichan + (ncont << 2),
+                                 r->now[COUNT], (r->base[COUNT] + 1) << ncont);
+        r->now[COUNT] = n;
+    }
     ldebug ("dma_pos %d size %d\n", n, (r->base[COUNT] + 1) << ncont);
 }
 
Index: qemu/hw/fdc.c
@@ -1322,7 +1322,8 @@
                                    fd_sector(cur_drv));
                     return 0;
                 }
-            if (bdrv_read(cur_drv->bs, fd_sector(cur_drv), fdctrl->fifo, 1) < 0) {
+            if (cur_drv->bs == NULL ||
+                bdrv_read(cur_drv->bs, fd_sector(cur_drv), fdctrl->fifo, 1) < 0) {
                 FLOPPY_DPRINTF("error getting sector %d\n",
                                fd_sector(cur_drv));
                 /* Sure, image size is too small... */
@@ -1776,7 +1777,8 @@
         if (pos == FD_SECTOR_LEN - 1 ||
             fdctrl->data_pos == fdctrl->data_len) {
             cur_drv = get_cur_drv(fdctrl);
-            if (bdrv_write(cur_drv->bs, fd_sector(cur_drv), fdctrl->fifo, 1) < 0) {
+            if (cur_drv->bs == NULL ||
+                bdrv_write(cur_drv->bs, fd_sector(cur_drv), fdctrl->fifo, 1) < 0) {
                 FLOPPY_ERROR("writing sector %d\n", fd_sector(cur_drv));
                 return;
             }
Index: qemu-0.8.2/hw/sb16.c
===================================================================
--- qemu-0.8.2.orig/hw/sb16.c	2006-07-22 20:23:34.000000000 +0300
+++ qemu-0.8.2/hw/sb16.c	2007-04-20 06:05:59.000000000 +0300
@@ -1235,8 +1235,10 @@ static int SB_read_DMA (void *opaque, in
             s->block_size);
 #endif
 
-    while (s->left_till_irq <= 0) {
-        s->left_till_irq = s->block_size + s->left_till_irq;
+    if (s->block_size) {
+        while (s->left_till_irq <= 0) {
+            s->left_till_irq = s->block_size + s->left_till_irq;
+        }
     }
 
     return dma_pos;
Index: qemu/hw/i8259.c
@@ -291,7 +291,8 @@ static void pic_ioport_write(void *opaqu
             s->init4 = val & 1;
             s->single_mode = val & 2;
             if (val & 0x08) {
-                hw_error("level sensitive irq not supported");
+                /* hw_error("level sensitive irq not supported"); */
+                return;
             }
         } else if (val & 0x08) {
             if (val & 0x04) {