Google Git
Sign in
qemu / qemu / d09acb9b5ef0bb4fa94d3d459919a6ebaf8804bc
commitd09acb9b5ef0bb4fa94d3d459919a6ebaf8804bc[log] [tgz]
authorMarkus Armbruster <armbru@redhat.com>Wed Jan 23 18:25:08 2013 +0100
committerBlue Swirl <blauwirbel@gmail.com>Sat Jan 26 13:23:33 2013 +0000
tree3ab5a8bc33f0856f130c055b1c1eba2e7585ce9a
parenta6e7c18476f5383720b3f57ef4f467b2e7c2565e [diff]
fw_cfg: Splash image loader can overrun a stack variable, fix

read_splashfile() passes the address of an int variable as size_t *
parameter to g_file_get_contents(), with a cast to gag the compiler.

No problem on machines where sizeof(size_t) == sizeof(int).

Happens to work on my x86_64 box (64 bit little endian): the least
significant 32 bits of the file size end up in the right place
(caller's variable file_size), and the most significant 32 bits
clobber a place that gets assigned to before its next use (caller's
variable file_type).

I'd expect it to break on a 64 bit big-endian box.

Fix up the variable types and drop the problematic cast.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
3 files changed
tree: 3ab5a8bc33f0856f130c055b1c1eba2e7585ce9a
  1. audio/
  2. backends/
  3. block/
  4. bsd-user/
  5. default-configs/
  6. disas/
  7. docs/
  8. fpu/
  9. fsdev/
  10. gdb-xml/
  11. hw/
  12. include/
  13. ldscripts/
  14. libcacard/
  15. linux-headers/
  16. linux-user/
  17. net/
  18. pc-bios/
  19. qapi/
  20. qga/
  21. QMP/
  22. qobject/
  23. qom/
  24. roms/
  25. scripts/
  26. slirp/
  27. stubs/
  28. sysconfigs/
  29. target-alpha/
  30. target-arm/
  31. target-cris/
  32. target-i386/
  33. target-lm32/
  34. target-m68k/
  35. target-microblaze/
  36. target-mips/
  37. target-openrisc/
  38. target-ppc/
  39. target-s390x/
  40. target-sh4/
  41. target-sparc/
  42. target-unicore32/
  43. target-xtensa/
  44. tcg/
  45. tests/
  46. trace/
  47. ui/
  48. util/
  49. pixman
  50. .exrc
  51. .gitignore
  52. .gitmodules
  53. .mailmap
  54. aio-posix.c
  55. aio-win32.c
  56. arch_init.c
  57. async.c
  58. balloon.c
  59. block-migration.c
  60. block.c
  61. blockdev-nbd.c
  62. blockdev.c
  63. blockjob.c
  64. bt-host.c
  65. bt-vhci.c
  66. Changelog
  67. cmd.c
  68. cmd.h
  69. CODING_STYLE
  70. configure
  71. COPYING
  72. COPYING.LIB
  73. coroutine-gthread.c
  74. coroutine-sigaltstack.c
  75. coroutine-ucontext.c
  76. coroutine-win32.c
  77. cpu-exec.c
  78. cpus.c
  79. cputlb.c
  80. device_tree.c
  81. disas.c
  82. dma-helpers.c
  83. dump-stub.c
  84. dump.c
  85. exec.c
  86. gdbstub.c
  87. HACKING
  88. hmp-commands.hx
  89. hmp.c
  90. hmp.h
  91. iohandler.c
  92. ioport.c
  93. kvm-all.c
  94. kvm-stub.c
  95. LICENSE
  96. main-loop.c
  97. MAINTAINERS
  98. Makefile
  99. Makefile.objs
  100. Makefile.target
  101. memory.c
  102. memory_mapping-stub.c
  103. memory_mapping.c
  104. migration-exec.c
  105. migration-fd.c
  106. migration-tcp.c
  107. migration-unix.c
  108. migration.c
  109. monitor.c
  110. nbd.c
  111. os-posix.c
  112. os-win32.c
  113. page_cache.c
  114. qapi-schema-test.json
  115. qapi-schema.json
  116. qdict-test-data.txt
  117. qemu-bridge-helper.c
  118. qemu-char.c
  119. qemu-coroutine-io.c
  120. qemu-coroutine-lock.c
  121. qemu-coroutine-sleep.c
  122. qemu-coroutine.c
  123. qemu-doc.texi
  124. qemu-img-cmds.hx
  125. qemu-img.c
  126. qemu-img.texi
  127. qemu-io.c
  128. qemu-log.c
  129. qemu-nbd.c
  130. qemu-nbd.texi
  131. qemu-options-wrapper.h
  132. qemu-options.h
  133. qemu-options.hx
  134. qemu-seccomp.c
  135. qemu-tech.texi
  136. qemu-timer.c
  137. qemu.sasl
  138. qmp-commands.hx
  139. qmp.c
  140. qtest.c
  141. readline.c
  142. README
  143. rules.mak
  144. savevm.c
  145. spice-qemu-char.c
  146. tcg-runtime.c
  147. tci.c
  148. thread-pool.c
  149. thunk.c
  150. TODO
  151. trace-events
  152. translate-all.c
  153. translate-all.h
  154. user-exec.c
  155. VERSION
  156. version.rc
  157. vl.c
  158. xen-all.c
  159. xen-mapcache.c
  160. xen-stub.c