@@ -3901,7 +3901,7 @@ static inline abi_long do_semtimedop(int semid,
unsigned nsops,
abi_long timeout)
{
- struct sembuf sops[nsops];
+ struct sembuf *sops;
struct timespec ts, *pts = NULL;
abi_long ret;
@@ -3912,8 +3912,16 @@ static inline abi_long do_semtimedop(int semid,
}
}
- if (target_to_host_sembuf(sops, ptr, nsops))
+ if (nsops > TARGET_SEMOPM) {
+ return -TARGET_E2BIG;
+ }
+
+ sops = g_new(struct sembuf, nsops);
+
+ if (target_to_host_sembuf(sops, ptr, nsops)) {
+ g_free(sops);
return -TARGET_EFAULT;
+ }
ret = -TARGET_ENOSYS;
#ifdef __NR_semtimedop
@@ -3925,6 +3933,7 @@ static inline abi_long do_semtimedop(int semid,
SEMTIMEDOP_IPC_ARGS(nsops, sops, (long)pts)));
}
#endif
+ g_free(sops);
return ret;
}
#endif
@@ -46,6 +46,8 @@
#define IPCOP_shmget 23
#define IPCOP_shmctl 24
+#define TARGET_SEMOPM 500
+
/*
* The following is for compatibility across the various Linux
* platforms. The i386 ioctl numbering scheme doesn't really enforce