ide/atapi: Fix START STOP UNIT command completion
rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)
rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165)
rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165)
rtl8139: check IP Header Length field (CVE-2015-5165)
rtl8139: check IP Total Length field (CVE-2015-5165)
rtl8139: skip offload on short TCP header (CVE-2015-5165)
rtl8139: check TCP Data Offset field (CVE-2015-5165)
scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
slirp: use less predictable directory name in /tmp for smb config (CVE-2015-4037)
i8254: fix out-of-bounds memory access in pit_ioport_read() (CVE-2015-3214)
incrementally decode websocket frames (CVE-2015-1779)
limit size of HTTP headers from websockets clients (CVE-2015-1779)
mGBA is a Game Boy Advance emulator.
It provides:
- Near full Game Boy Advance hardware support.
- Fast emulation.
- Save type detection, even for flash memory size.
- Real-time clock support.
- A built-in BIOS implementation, and ability to load external BIOS.
- Frameskip, configurable up to 9.
- Screenshot support.
- 9 savestate slots. Savestates are also viewable as screenshots.
- Video and GIF recording.
- Remappable controls for both keyboards and gamepads.
- IPS and UPS patch support.
- Game debugging via a command-line interface and GDB remote support.
- Configurable emulation rewinding.
ok bcallah@
CVE-2015-3456 fdc: force the fifo access to be in bounds of the allocated buffer
During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.
Fix this by making sure that the index is always bounded by the
allocated memory.
CVE-2015-3209 pcnet: force the buffer access to be in bounds during tx
4096 is the maximum length per TMD and it is also currently the size of
the relay buffer pcnet driver uses for sending the packet data to QEMU
for further processing. With packet spanning multiple TMDs it can
happen that the overall packet size will be bigger than sizeof(buffer),
which results in memory corruption.
Fix this by only allowing to queue maximum sizeof(buffer) bytes.
License location change noticed by benoit@
MAME is no longer offered as a package. There has been a bit of a license
mess and it's no longer clear if we can distribute anything. Sorry, if you
want MAME you'll have to build the port. Originally brought up by bentley@
ok benoit@
