diff options
author | Paolo Bonzini | 2015-09-14 12:07:22 +0200 |
---|---|---|
committer | Michael Tokarev | 2015-10-08 18:46:01 +0200 |
commit | ec5fd402645fd4f03d89dcd5840b0e8542549e82 (patch) | |
tree | 436f86413a54a3a7726cd477dee86a935ec1dd70 /hw/i386 | |
parent | pci-assign: do not include sys/io.h (diff) | |
download | qemu-ec5fd402645fd4f03d89dcd5840b0e8542549e82.tar.gz qemu-ec5fd402645fd4f03d89dcd5840b0e8542549e82.tar.xz qemu-ec5fd402645fd4f03d89dcd5840b0e8542549e82.zip |
pc: check for underflow in load_linux
If (setup_size+1)*512 is small enough, kernel_size -= setup_size can allocate
a huge amount of memory. Avoid that.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Diffstat (limited to 'hw/i386')
-rw-r--r-- | hw/i386/pc.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/i386/pc.c b/hw/i386/pc.c index 9275297adc..682867a8a9 100644 --- a/hw/i386/pc.c +++ b/hw/i386/pc.c @@ -985,6 +985,10 @@ static void load_linux(PCMachineState *pcms, setup_size = 4; } setup_size = (setup_size+1)*512; + if (setup_size > kernel_size) { + fprintf(stderr, "qemu: invalid kernel header\n"); + exit(1); + } kernel_size -= setup_size; setup = g_malloc(setup_size); |