diff options
| author | Paolo Bonzini <pbonzini@redhat.com> | 2015-09-14 12:07:22 +0200 |
|---|---|---|
| committer | Michael Tokarev <mjt@tls.msk.ru> | 2015-10-08 19:46:01 +0300 |
| commit | ec5fd402645fd4f03d89dcd5840b0e8542549e82 (patch) | |
| tree | 436f86413a54a3a7726cd477dee86a935ec1dd70 /hw/i386/pc.c | |
| parent | 16033ba577059c5675e4c786234c46027380c29b (diff) | |
| download | focaccia-qemu-ec5fd402645fd4f03d89dcd5840b0e8542549e82.tar.gz focaccia-qemu-ec5fd402645fd4f03d89dcd5840b0e8542549e82.zip | |
pc: check for underflow in load_linux
If (setup_size+1)*512 is small enough, kernel_size -= setup_size can allocate a huge amount of memory. Avoid that. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Diffstat (limited to 'hw/i386/pc.c')
| -rw-r--r-- | hw/i386/pc.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/i386/pc.c b/hw/i386/pc.c index 9275297adc..682867a8a9 100644 --- a/hw/i386/pc.c +++ b/hw/i386/pc.c @@ -985,6 +985,10 @@ static void load_linux(PCMachineState *pcms, setup_size = 4; } setup_size = (setup_size+1)*512; + if (setup_size > kernel_size) { + fprintf(stderr, "qemu: invalid kernel header\n"); + exit(1); + } kernel_size -= setup_size; setup = g_malloc(setup_size); |