Index: xen-3.1.0-src/tools/ioemu/block.c =================================================================== --- xen-3.1.0-src.orig/tools/ioemu/block.c +++ xen-3.1.0-src/tools/ioemu/block.c @@ -465,6 +465,11 @@ int bdrv_write(BlockDriverState *bs, int if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) { memcpy(bs->boot_sector_data, buf, 512); } + { + unsigned int ns = sector_num * 512; + if (ns < 0) + return -1; + } return bs->drv->bdrv_write(bs, sector_num, buf, nb_sectors); } Index: xen-3.1.0-src/tools/ioemu/hw/fdc.c =================================================================== --- xen-3.1.0-src.orig/tools/ioemu/hw/fdc.c +++ xen-3.1.0-src/tools/ioemu/hw/fdc.c @@ -1110,8 +1110,13 @@ static uint32_t fdctrl_read_data (fdctrl len = fdctrl->data_len - fdctrl->data_pos; if (len > FD_SECTOR_LEN) len = FD_SECTOR_LEN; - bdrv_read(cur_drv->bs, fd_sector(cur_drv), - fdctrl->fifo, len); + if (cur_drv->bs) { + bdrv_read(cur_drv->bs, fd_sector(cur_drv), + fdctrl->fifo, len); + } else { + FLOPPY_ERROR("can't read data from drive\n"); + return 0; + } } } retval = fdctrl->fifo[pos]; Index: xen-3.1.0-src/tools/ioemu/hw/ne2000.c =================================================================== --- xen-3.1.0-src.orig/tools/ioemu/hw/ne2000.c +++ xen-3.1.0-src/tools/ioemu/hw/ne2000.c @@ -252,7 +252,7 @@ static void ne2000_receive(void *opaque, { NE2000State *s = opaque; uint8_t *p; - int total_len, next, avail, len, index, mcast_idx; + unsigned int total_len, next, avail, len, index, mcast_idx; uint8_t buf1[60]; static const uint8_t broadcast_macaddr[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; @@ -327,7 +327,11 @@ static void ne2000_receive(void *opaque, /* write packet data */ while (size > 0) { - avail = s->stop - index; + /* taviso: this can wrap, so check its okay. */ + if (index <= s->stop) + avail = s->stop - index; + else + avail = 0; len = size; if (len > avail) len = avail; Index: xen-3.1.0-src/tools/ioemu/hw/sb16.c =================================================================== --- xen-3.1.0-src.orig/tools/ioemu/hw/sb16.c +++ xen-3.1.0-src/tools/ioemu/hw/sb16.c @@ -1235,8 +1235,10 @@ static int SB_read_DMA (void *opaque, in s->block_size); #endif - while (s->left_till_irq <= 0) { - s->left_till_irq = s->block_size + s->left_till_irq; + if (s->block_size) { + while (s->left_till_irq <= 0) { + s->left_till_irq = s->block_size + s->left_till_irq; + } } return dma_pos;