]> git.proxmox.com Git - mirror_qemu.git/commitdiff
projects / mirror_qemu.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 16033ba)
pc: check for underflow in load_linux
authorPaolo Bonzini <pbonzini@redhat.com>
Mon, 14 Sep 2015 10:07:22 +0000 (12:07 +0200)
committerMichael Tokarev <mjt@tls.msk.ru>
Thu, 8 Oct 2015 16:46:01 +0000 (19:46 +0300)
If (setup_size+1)*512 is small enough, kernel_size -= setup_size can allocate
a huge amount of memory.  Avoid that.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
hw/i386/pc.c patch | blob | blame | history

diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 9275297adcfd27c4f5403da1a6832ce10cf1dc0b..682867a8a9909f15368dcbe8dc61f3c9463e3a28 100644 (file)
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -985,6 +985,10 @@ static void load_linux(PCMachineState *pcms,
         setup_size = 4;
     }
     setup_size = (setup_size+1)*512;
+    if (setup_size > kernel_size) {
+        fprintf(stderr, "qemu: invalid kernel header\n");
+        exit(1);
+    }
     kernel_size -= setup_size;
 
     setup  = g_malloc(setup_size);
QEMU mirror