提交 78bd79fa 编写于 作者: S Stefan Weil 提交者: Michael Roth

qemu-char: Fix potential out of bounds access to local arrays

Latest gcc-4.8 supports a new option -fsanitize=address which activates
an AddressSanitizer. This AddressSanitizer stops the QEMU system emulation
very early because two character arrays of size 8 are potentially written
with 9 bytes.

Commit 6ea314d9 added the code.

There is no obvious reason why width or height could need 8 characters,
so reduce it to 7 characters which together with the terminating '\0'
fit into the arrays.

Cc: qemu-stable <qemu-stable@nongnu.org>
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Reviewed-by: NAlex Bennée <alex@bennee.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 49aa4058)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
上级 a2c9dc50
......@@ -2969,11 +2969,11 @@ QemuOpts *qemu_chr_parse_compat(const char *label, const char *filename)
if (strstart(filename, "vc", &p)) {
qemu_opt_set(opts, "backend", "vc");
if (*p == ':') {
if (sscanf(p+1, "%8[0-9]x%8[0-9]", width, height) == 2) {
if (sscanf(p+1, "%7[0-9]x%7[0-9]", width, height) == 2) {
/* pixels */
qemu_opt_set(opts, "width", width);
qemu_opt_set(opts, "height", height);
} else if (sscanf(p+1, "%8[0-9]Cx%8[0-9]C", width, height) == 2) {
} else if (sscanf(p+1, "%7[0-9]Cx%7[0-9]C", width, height) == 2) {
/* chars */
qemu_opt_set(opts, "cols", width);
qemu_opt_set(opts, "rows", height);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册