From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 14 Sep 2015 10:07:22 +0000 (+0200)
Subject: pc: check for underflow in load_linux
X-Git-Tag: v2.5.0-rc0~81^2~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ec5fd402645fd4f03d89dcd5840b0e8542549e82;p=thirdparty%2Fqemu.git

pc: check for underflow in load_linux

If (setup_size+1)*512 is small enough, kernel_size -= setup_size can allocate
a huge amount of memory.  Avoid that.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
---

diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 9275297adcf..682867a8a99 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -985,6 +985,10 @@ static void load_linux(PCMachineState *pcms,
         setup_size = 4;
     }
     setup_size = (setup_size+1)*512;
+    if (setup_size > kernel_size) {
+        fprintf(stderr, "qemu: invalid kernel header\n");
+        exit(1);
+    }
     kernel_size -= setup_size;
 
     setup  = g_malloc(setup_size);