pc: check for underflow in load_linux

If (setup_size+1)*512 is small enough, kernel_size -= setup_size can allocate a huge amount of memory. Avoid that. Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: N Michael Tokarev <mjt@tls.msk.ru>

pc: check for underflow in load_linux
If (setup_size+1)*512 is small enough, kernel_size -= setup_size can allocate a huge amount of memory. Avoid that. Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: N Michael Tokarev <mjt@tls.msk.ru>
ec5fd402 · Paolo Bonzini · Michael Tokarev · 16033ba5 · ec5fd402
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

hw/i386/pc.c hw/i386/pc.c +4 -0

未找到文件。
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -985,6 +985,10 @@ static void load_linux(PCMachineState *pcms,
        setup_size = 4;
    }
    setup_size = (setup_size+1)*512;
+    if (setup_size > kernel_size) {
+        fprintf(stderr, "qemu: invalid kernel header\n");
+        exit(1);
+    }
    kernel_size -= setup_size;

    setup  = g_malloc(setup_size);