projects
/
qemu.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
16033ba
)
pc: check for underflow in load_linux
author
Paolo Bonzini
<pbonzini@redhat.com>
Mon, 14 Sep 2015 10:07:22 +0000
(12:07 +0200)
committer
Michael Tokarev
<mjt@tls.msk.ru>
Thu, 8 Oct 2015 16:46:01 +0000
(19:46 +0300)
If (setup_size+1)*512 is small enough, kernel_size -= setup_size can allocate
a huge amount of memory. Avoid that.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
hw/i386/pc.c
patch
|
blob
|
history
diff --git
a/hw/i386/pc.c
b/hw/i386/pc.c
index 9275297adcfd27c4f5403da1a6832ce10cf1dc0b..682867a8a9909f15368dcbe8dc61f3c9463e3a28 100644
(file)
--- a/
hw/i386/pc.c
+++ b/
hw/i386/pc.c
@@
-985,6
+985,10
@@
static void load_linux(PCMachineState *pcms,
setup_size = 4;
}
setup_size = (setup_size+1)*512;
+ if (setup_size > kernel_size) {
+ fprintf(stderr, "qemu: invalid kernel header\n");
+ exit(1);
+ }
kernel_size -= setup_size;
setup = g_malloc(setup_size);
projects / qemu.git / commitdiff