diff options
Diffstat (limited to 'hw')
| -rw-r--r-- | hw/i386/multiboot.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c index b9064264d8..5bc0a2cddb 100644 --- a/hw/i386/multiboot.c +++ b/hw/i386/multiboot.c @@ -229,6 +229,10 @@ int load_multiboot(FWCfgState *fw_cfg, error_report("invalid load_addr address"); exit(1); } + if (mh_header_addr - mh_load_addr > i) { + error_report("invalid header_addr address"); + exit(1); + } uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr); uint32_t mb_load_size = 0; @@ -247,6 +251,10 @@ int load_multiboot(FWCfgState *fw_cfg, } mb_load_size = kernel_file_size - mb_kernel_text_offset; } + if (mb_load_size > UINT32_MAX - mh_load_addr) { + error_report("kernel does not fit in address space"); + exit(1); + } if (mh_bss_end_addr) { if (mh_bss_end_addr < (mh_load_addr + mb_load_size)) { error_report("invalid bss_end_addr address"); |