[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 1/2] fw_cfg: Splash image loader can overrun a s
From: |
Laszlo Ersek |
Subject: |
Re: [Qemu-devel] [PATCH 1/2] fw_cfg: Splash image loader can overrun a stack variable, fix |
Date: |
Thu, 24 Jan 2013 12:08:19 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20121116 Thunderbird/10.0.11 |
On 01/23/13 18:25, Markus Armbruster wrote:
> read_splashfile() passes the address of an int variable as size_t *
> parameter to g_file_get_contents(), with a cast to gag the compiler.
>
> No problem on machines where sizeof(size_t) == sizeof(int).
>
> Happens to work on my x86_64 box (64 bit little endian): the least
> significant 32 bits of the file size end up in the right place
> (caller's variable file_size), and the most significant 32 bits
> clobber a place that gets assigned to before its next use (caller's
> variable file_type).
>
> I'd expect it to break on a 64 bit big-endian box.
>
> Fix up the variable types and drop the problematic cast.
>
Ultimately fw_cfg_add_file() and fw_cfg_add_bytes() (reasonably) convert
(truncate) the size to uint32_t, but that's completely orthogonal.
Reviewed-by: Laszlo Ersek <address@hidden>