diff options
| author | Markus Armbruster <armbru@redhat.com> | 2013-01-23 18:25:08 +0100 |
|---|---|---|
| committer | Blue Swirl <blauwirbel@gmail.com> | 2013-01-26 13:23:33 +0000 |
| commit | d09acb9b5ef0bb4fa94d3d459919a6ebaf8804bc (patch) | |
| tree | 3ab5a8bc33f0856f130c055b1c1eba2e7585ce9a /vl.c | |
| parent | a6e7c18476f5383720b3f57ef4f467b2e7c2565e (diff) | |
| download | focaccia-qemu-d09acb9b5ef0bb4fa94d3d459919a6ebaf8804bc.tar.gz focaccia-qemu-d09acb9b5ef0bb4fa94d3d459919a6ebaf8804bc.zip | |
fw_cfg: Splash image loader can overrun a stack variable, fix
read_splashfile() passes the address of an int variable as size_t * parameter to g_file_get_contents(), with a cast to gag the compiler. No problem on machines where sizeof(size_t) == sizeof(int). Happens to work on my x86_64 box (64 bit little endian): the least significant 32 bits of the file size end up in the right place (caller's variable file_size), and the most significant 32 bits clobber a place that gets assigned to before its next use (caller's variable file_type). I'd expect it to break on a 64 bit big-endian box. Fix up the variable types and drop the problematic cast. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
Diffstat (limited to 'vl.c')
| -rw-r--r-- | vl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/vl.c b/vl.c index 4ee1302595..7aab73b736 100644 --- a/vl.c +++ b/vl.c @@ -231,7 +231,7 @@ unsigned int nb_prom_envs = 0; const char *prom_envs[MAX_PROM_ENVS]; int boot_menu; uint8_t *boot_splash_filedata; -int boot_splash_filedata_size; +size_t boot_splash_filedata_size; uint8_t qemu_extra_params_fw[2]; typedef struct FWBootEntry FWBootEntry; |