summaryrefslogtreecommitdiffstats
path: root/hw/i386
diff options
context:
space:
mode:
authorPaolo Bonzini2015-09-14 12:07:22 +0200
committerMichael Tokarev2015-10-08 18:46:01 +0200
commitec5fd402645fd4f03d89dcd5840b0e8542549e82 (patch)
tree436f86413a54a3a7726cd477dee86a935ec1dd70 /hw/i386
parentpci-assign: do not include sys/io.h (diff)
downloadqemu-ec5fd402645fd4f03d89dcd5840b0e8542549e82.tar.gz
qemu-ec5fd402645fd4f03d89dcd5840b0e8542549e82.tar.xz
qemu-ec5fd402645fd4f03d89dcd5840b0e8542549e82.zip
pc: check for underflow in load_linux
If (setup_size+1)*512 is small enough, kernel_size -= setup_size can allocate a huge amount of memory. Avoid that. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Diffstat (limited to 'hw/i386')
-rw-r--r--hw/i386/pc.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 9275297adc..682867a8a9 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -985,6 +985,10 @@ static void load_linux(PCMachineState *pcms,
setup_size = 4;
}
setup_size = (setup_size+1)*512;
+ if (setup_size > kernel_size) {
+ fprintf(stderr, "qemu: invalid kernel header\n");
+ exit(1);
+ }
kernel_size -= setup_size;
setup = g_malloc(setup_size);