[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 065e62: device_tree: Fix integer overflowing
From: |
Peter Maydell |
Subject: |
[Qemu-commits] [qemu/qemu] 065e62: device_tree: Fix integer overflowing in load_devic... |
Date: |
Wed, 10 Apr 2019 09:27:36 +0000 (UTC) |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 065e6298a75164b4347682b63381dbe752c2b156
https://github.com/qemu/qemu/commit/065e6298a75164b4347682b63381dbe752c2b156
Author: Markus Armbruster <address@hidden>
Date: 2019-04-09 (Tue, 09 Apr 2019)
Changed paths:
M device_tree.c
Log Message:
-----------
device_tree: Fix integer overflowing in load_device_tree()
If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
computation of @dt_size overflows to a negative number, which then
gets converted to a very large size_t for g_malloc0() and
load_image_size(). In the (fortunately improbable) case g_malloc0()
succeeds and load_image_size() survives, we'd assign the negative
number to *sizep. What that would do to the callers I can't say, but
it's unlikely to be good.
Fix by rejecting images whose size would overflow.
Reported-by: Kurtis Miller <address@hidden>
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Signed-off-by: Alistair Francis <address@hidden>
Message-Id: <address@hidden>
Commit: 6523516f321208b46a6be821c443d4b960c0c24c
https://github.com/qemu/qemu/commit/6523516f321208b46a6be821c443d4b960c0c24c
Author: Peter Maydell <address@hidden>
Date: 2019-04-10 (Wed, 10 Apr 2019)
Changed paths:
M device_tree.c
Log Message:
-----------
Merge remote-tracking branch
'remotes/alistair/tags/pull-device-tree-20190409-1' into staging
Single device tree fix for 4.0
A single patch to avoid an overflow when loading device trees.
# gpg: Signature made Wed 10 Apr 2019 00:52:16 BST
# gpg: using RSA key F6C4AC46D4934868D3B8CE8F21E10D29DF977054
# gpg: Good signature from "Alistair Francis <address@hidden>" [full]
# Primary key fingerprint: F6C4 AC46 D493 4868 D3B8 CE8F 21E1 0D29 DF97 7054
* remotes/alistair/tags/pull-device-tree-20190409-1:
device_tree: Fix integer overflowing in load_device_tree()
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/f151f8aca5cf...6523516f3212
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 065e62: device_tree: Fix integer overflowing in load_devic...,
Peter Maydell <=