summary refs log tree commit diff stats
path: root/hw/core
diff options
context:
space:
mode:
authorPeter Maydell <peter.maydell@linaro.org>2021-08-26 18:03:57 +0100
committerPeter Maydell <peter.maydell@linaro.org>2021-08-26 18:03:57 +0100
commitf214d8e0150766c31172e16ef4b17674f549d852 (patch)
treebf264f12784e006e52ee326149259ea4940b6ab9 /hw/core
parentc83fcfaf8a54d0d034bd0edf7bbb3b0d16669be9 (diff)
parentd2e6f370138a7f32bc28b20dcd55374b7a638f39 (diff)
downloadfocaccia-qemu-f214d8e0150766c31172e16ef4b17674f549d852.tar.gz
focaccia-qemu-f214d8e0150766c31172e16ef4b17674f549d852.zip
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20210826' into staging
target-arm queue:
 * hw/dma/xlnx-zdma, xlnx_csu_dma: Require 'dma' link property to be set
 * hw/arm/Kconfig: no need to enable ACPI_MEMORY_HOTPLUG/ACPI_NVDIMM explicitly
 * target/arm/cpu: Introduce sve_vq_supported bitmap
 * docs/specs: Convert ACPI spec docs to rST
 * arch_init: Clean up and refactoring
 * hw/core/loader: In gunzip(), check index is in range before use, not after
 * softmmu/physmem.c: Remove unneeded NULL check in qemu_ram_alloc_from_fd()
 * softmmu/physmem.c: Check return value from realpath()
 * Zero-initialize sockaddr_in structs
 * raspi: Use error_fatal for SoC realize errors, not error_abort
 * target/arm: Avoid assertion trying to use KVM and multiple ASes
 * target/arm: Implement HSTR.TTEE
 * target/arm: Implement HSTR.TJDBX
 * target/arm: Do hflags rebuild in cpsr_write()
 * hw/arm/xlnx-versal, xlnx-zynqmp: Add unimplemented APU mmio

# gpg: Signature made Thu 26 Aug 2021 18:02:10 BST
# gpg:                using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg:                issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate]
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>" [ultimate]
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83  15CF 3C25 25ED 1436 0CDE

* remotes/pmaydell/tags/pull-target-arm-20210826: (37 commits)
  hw/arm/xlnx-zynqmp: Add unimplemented APU mmio
  hw/arm/xlnx-versal: Add unimplemented APU mmio
  target/arm: Do hflags rebuild in cpsr_write()
  target/arm: Implement HSTR.TJDBX
  target/arm: Implement HSTR.TTEE
  hw/arm/virt: Delete EL3 error checksnow provided in CPU realize
  target/arm: Avoid assertion trying to use KVM and multiple ASes
  raspi: Use error_fatal for SoC realize errors, not error_abort
  tests/tcg/multiarch/linux-test: Zero-initialize sockaddr structs
  tests/qtest/ipmi-bt-test: Zero-initialize sockaddr struct
  gdbstub: Zero-initialize sockaddr structs
  net: Zero sockaddr_in in parse_host_port()
  softmmu/physmem.c: Check return value from realpath()
  softmmu/physmem.c: Remove unneeded NULL check in qemu_ram_alloc_from_fd()
  hw/core/loader: In gunzip(), check index is in range before use, not after
  stubs: Remove unused arch_type.c stub
  arch_init.h: Don't include arch_init.h unnecessarily
  arch_init.h: Move QEMU_ARCH_VIRTIO_* to qdev-monitor.c
  arch_init.h: Add QEMU_ARCH_HEXAGON
  meson.build: Define QEMU_ARCH in config-target.h
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw/core')
-rw-r--r--hw/core/loader.c35
1 files changed, 25 insertions, 10 deletions
diff --git a/hw/core/loader.c b/hw/core/loader.c
index 5b34869a54..c623318b73 100644
--- a/hw/core/loader.c
+++ b/hw/core/loader.c
@@ -555,24 +555,35 @@ ssize_t gunzip(void *dst, size_t dstlen, uint8_t *src, size_t srclen)
 
     /* skip header */
     i = 10;
+    if (srclen < 4) {
+        goto toosmall;
+    }
     flags = src[3];
     if (src[2] != DEFLATED || (flags & RESERVED) != 0) {
         puts ("Error: Bad gzipped data\n");
         return -1;
     }
-    if ((flags & EXTRA_FIELD) != 0)
+    if ((flags & EXTRA_FIELD) != 0) {
+        if (srclen < 12) {
+            goto toosmall;
+        }
         i = 12 + src[10] + (src[11] << 8);
-    if ((flags & ORIG_NAME) != 0)
-        while (src[i++] != 0)
-            ;
-    if ((flags & COMMENT) != 0)
-        while (src[i++] != 0)
-            ;
-    if ((flags & HEAD_CRC) != 0)
+    }
+    if ((flags & ORIG_NAME) != 0) {
+        while (i < srclen && src[i++] != 0) {
+            /* do nothing */
+        }
+    }
+    if ((flags & COMMENT) != 0) {
+        while (i < srclen && src[i++] != 0) {
+            /* do nothing */
+        }
+    }
+    if ((flags & HEAD_CRC) != 0) {
         i += 2;
+    }
     if (i >= srclen) {
-        puts ("Error: gunzip out of data in header\n");
-        return -1;
+        goto toosmall;
     }
 
     s.zalloc = zalloc;
@@ -596,6 +607,10 @@ ssize_t gunzip(void *dst, size_t dstlen, uint8_t *src, size_t srclen)
     inflateEnd(&s);
 
     return dstbytes;
+
+toosmall:
+    puts("Error: gunzip out of data in header\n");
+    return -1;
 }
 
 /* Load a U-Boot image.  */