diff options
author | Michael S. Tsirkin <mst@redhat.com> | 2015-02-01 11:54:26 +0200 |
---|---|---|
committer | Michael S. Tsirkin <mst@redhat.com> | 2015-02-26 12:42:15 +0100 |
commit | 12e63900f01ce54702745d83f985e26042adda9b (patch) | |
tree | 6b34d6fbfefb5a163b48a9cacf5cd9ef71d4afbe /hw/acpi/bios-linker-loader.c | |
parent | 16771613a89838020ee6d84be40b46c6a8180824 (diff) | |
download | qemu-12e63900f01ce54702745d83f985e26042adda9b.zip qemu-12e63900f01ce54702745d83f985e26042adda9b.tar.gz qemu-12e63900f01ce54702745d83f985e26042adda9b.tar.bz2 |
bios linker: validate pointer within table
buios linker assumes pointer parameter it gets
is within table, validate this.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Diffstat (limited to 'hw/acpi/bios-linker-loader.c')
-rw-r--r-- | hw/acpi/bios-linker-loader.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/hw/acpi/bios-linker-loader.c b/hw/acpi/bios-linker-loader.c index 5cc4d90..d9382f8 100644 --- a/hw/acpi/bios-linker-loader.c +++ b/hw/acpi/bios-linker-loader.c @@ -141,6 +141,7 @@ void bios_linker_loader_add_pointer(GArray *linker, uint8_t pointer_size) { BiosLinkerLoaderEntry entry; + size_t offset = (gchar *)pointer - table->data; memset(&entry, 0, sizeof entry); strncpy(entry.pointer.dest_file, dest_file, @@ -148,7 +149,8 @@ void bios_linker_loader_add_pointer(GArray *linker, strncpy(entry.pointer.src_file, src_file, sizeof entry.pointer.src_file - 1); entry.command = cpu_to_le32(BIOS_LINKER_LOADER_COMMAND_ADD_POINTER); - entry.pointer.offset = cpu_to_le32((gchar *)pointer - table->data); + assert(table->len >= offset + pointer_size); + entry.pointer.offset = cpu_to_le32(offset); entry.pointer.size = pointer_size; assert(pointer_size == 1 || pointer_size == 2 || pointer_size == 4 || pointer_size == 8); |