Message ID | 1442225242-27908-1-git-send-email-pbonzini@redhat.com |
---|---|
State | New |
Headers | show |
14.09.2015 13:07, Paolo Bonzini wrote: > If (setup_size+1)*512 is small enough, kernel_size -= setup_size can allocate > a huge amount of memory. Avoid that. Applied to -trivial, thanks! /mjt
diff --git a/hw/i386/pc.c b/hw/i386/pc.c index 56aecce..6a312bd 100644 --- a/hw/i386/pc.c +++ b/hw/i386/pc.c @@ -986,6 +986,10 @@ static void load_linux(PCMachineState *pcms, setup_size = 4; } setup_size = (setup_size+1)*512; + if (setup_size > kernel_size) { + fprintf(stderr, "qemu: invalid kernel header\n"); + exit(1); + } kernel_size -= setup_size; setup = g_malloc(setup_size);
If (setup_size+1)*512 is small enough, kernel_size -= setup_size can allocate a huge amount of memory. Avoid that. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> --- hw/i386/pc.c | 4 ++++ 1 file changed, 4 insertions(+)