eif: cope with huge section offsets

author Paolo Bonzini <pbonzini@redhat.com>

Tue, 5 Nov 2024 12:53:55 +0000 (13:53 +0100)

committer Paolo Bonzini <pbonzini@redhat.com>

Thu, 7 Nov 2024 15:54:02 +0000 (16:54 +0100)
author Paolo Bonzini <pbonzini@redhat.com>
Tue, 5 Nov 2024 12:53:55 +0000 (13:53 +0100)
committer Paolo Bonzini <pbonzini@redhat.com>
Thu, 7 Nov 2024 15:54:02 +0000 (16:54 +0100)
diff --git a/hw/core/eif.c b/hw/core/eif.c

index 7f3b2edc9a765d74c72d5fef619f56ea6d208235..61329aacfe1183be8948499d37660dfafb03595b 100644 (file)
--- a/hw/core/eif.c
+++ b/hw/core/eif.c
@@ -466,6 +466,10 @@ bool read_eif_file(const char *eif_path, const char *machine_initrd,
          EifSectionHeader hdr;
          uint16_t section_type;
  
+        if (eif_header.section_offsets[i] > OFF_MAX) {
+            error_setg(errp, "Invalid EIF image. Section offset out of bounds");
+            goto cleanup;
+        }
          if (fseek(f, eif_header.section_offsets[i], SEEK_SET) != 0) {
              error_setg_errno(errp, errno, "Failed to offset to %" PRIu64 " in EIF file",
                               eif_header.section_offsets[i]);
diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h

index fe7c3c5f67314b9f80247061d032f23a2240ec7e..fdff07fd992bca9fc370965f22926114885d0713 100644 (file)
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@@ -297,6 +297,10 @@ void QEMU_ERROR("code path is reachable")
  #error building with G_DISABLE_ASSERT is not supported
  #endif
  
+#ifndef OFF_MAX
+#define OFF_MAX (sizeof (off_t) == 8 ? INT64_MAX : INT32_MAX)
+#endif
+
  #ifndef O_LARGEFILE
  #define O_LARGEFILE 0
  #endif
author	Paolo Bonzini <pbonzini@redhat.com>
	Tue, 5 Nov 2024 12:53:55 +0000 (13:53 +0100)
committer	Paolo Bonzini <pbonzini@redhat.com>
	Thu, 7 Nov 2024 15:54:02 +0000 (16:54 +0100)
hw/core/eif.c		patch \| blob \| history
include/qemu/osdep.h		patch \| blob \| history