diff options
| author | Igor Mammedov | 2019-04-11 13:28:18 +0200 |
|---|---|---|
| committer | Paolo Bonzini | 2019-05-15 11:56:53 +0200 |
| commit | 85fad7e11508fd581fdbb14dd6a6555a9e0c8d70 (patch) | |
| tree | 0058f3eb489b86a885fccf00356871d113745ea6 /hw/core/loader.c | |
| parent | hw/input: Add a CONFIG_PS2 switch for the ps2.c file (diff) | |
| download | qemu-85fad7e11508fd581fdbb14dd6a6555a9e0c8d70.tar.gz qemu-85fad7e11508fd581fdbb14dd6a6555a9e0c8d70.tar.xz qemu-85fad7e11508fd581fdbb14dd6a6555a9e0c8d70.zip | |
roms: assert if max rom size is less than the used size
It would ensure that we would notice attempt to write beyond
the allocated buffer. In case of MemoryRegion backed ROM it's
the host buffer and the guest RAM otherwise.
assert can be triggered with:
dd if=/dev/zero of=/tmp/blob bs=63k count=1
qemu-system-x86_64 `for i in {1..33}; do echo -n " -acpitable /tmp/blob"; done`
Fixes: (a1666142db acpi-build: make ROMs RAM blocks resizeable)
Reported-by: Wei Yang <richardw.yang@linux.intel.com>
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <1554982098-336210-1-git-send-email-imammedo@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'hw/core/loader.c')
| -rw-r--r-- | hw/core/loader.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/hw/core/loader.c b/hw/core/loader.c index fe5cb24122..a097bbe30a 100644 --- a/hw/core/loader.c +++ b/hw/core/loader.c @@ -1025,6 +1025,7 @@ MemoryRegion *rom_add_blob(const char *name, const void *blob, size_t len, rom->addr = addr; rom->romsize = max_len ? max_len : len; rom->datasize = len; + g_assert(rom->romsize >= rom->datasize); rom->data = g_malloc0(rom->datasize); memcpy(rom->data, blob, len); rom_insert(rom); |