blk_getlength() returns an int64_t but the result is stored in a
uint32_t. Errors (negative values) won't be caught by the check in
pnv_pnor_realize() and blk_blockalign() will allocate a very large
buffer in such cases.
Fixes Coverity issue CID
1412226.
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <
20200107171809.15556-3-clg@kaod.org>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
}
static Property pnv_pnor_properties[] = {
- DEFINE_PROP_UINT32("size", PnvPnor, size, 128 << 20),
+ DEFINE_PROP_INT64("size", PnvPnor, size, 128 << 20),
DEFINE_PROP_DRIVE("drive", PnvPnor, blk),
DEFINE_PROP_END_OF_LIST(),
};
BlockBackend *blk;
uint8_t *storage;
- uint32_t size;
+ int64_t size;
MemoryRegion mmio;
} PnvPnor;