aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaolo Bonzini <pbonzini@redhat.com>2015-09-14 12:07:22 +0200
committerMichael Tokarev <mjt@tls.msk.ru>2015-10-08 19:46:01 +0300
commitec5fd402645fd4f03d89dcd5840b0e8542549e82 (patch)
tree436f86413a54a3a7726cd477dee86a935ec1dd70
parent16033ba577059c5675e4c786234c46027380c29b (diff)
downloadqemu-arm-ec5fd402645fd4f03d89dcd5840b0e8542549e82.tar.gz
pc: check for underflow in load_linux
If (setup_size+1)*512 is small enough, kernel_size -= setup_size can allocate a huge amount of memory. Avoid that. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-rw-r--r--hw/i386/pc.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 9275297adc..682867a8a9 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -985,6 +985,10 @@ static void load_linux(PCMachineState *pcms,
setup_size = 4;
}
setup_size = (setup_size+1)*512;
+ if (setup_size > kernel_size) {
+ fprintf(stderr, "qemu: invalid kernel header\n");
+ exit(1);
+ }
kernel_size -= setup_size;
setup = g_malloc(setup_size);