aboutsummaryrefslogtreecommitdiff
path: root/hw/arm
diff options
context:
space:
mode:
authorCédric Le Goater <clg@kaod.org>2017-02-10 17:40:29 +0000
committerPeter Maydell <peter.maydell@linaro.org>2017-02-10 17:40:29 +0000
commit0c7209bee805bcc974cf16cd567c8865db5d1ce5 (patch)
treecefa91d60d5c90a58700b805cab945b0beabcea4 /hw/arm
parent14efdb5cb3540d5ada51b81b70ec18ce95ae1642 (diff)
downloadqemu-0c7209bee805bcc974cf16cd567c8865db5d1ce5.zip
qemu-0c7209bee805bcc974cf16cd567c8865db5d1ce5.tar.gz
qemu-0c7209bee805bcc974cf16cd567c8865db5d1ce5.tar.bz2
aspeed: check for negative values returned by blk_getlength()
write_boot_rom() does not check for negative values. This is more a problem for coverity than the actual code as the size of the flash device is checked when the m25p80 object is created. If there is anything wrong with the backing file, we should not even reach that path. Signed-off-by: Cédric Le Goater <clg@kaod.org> Message-id: 1486648058-520-2-git-send-email-clg@kaod.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw/arm')
-rw-r--r--hw/arm/aspeed.c14
1 files changed, 12 insertions, 2 deletions
diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index a92c2f1..ac9cbd6 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -113,9 +113,19 @@ static void write_boot_rom(DriveInfo *dinfo, hwaddr addr, size_t rom_size,
{
BlockBackend *blk = blk_by_legacy_dinfo(dinfo);
uint8_t *storage;
+ int64_t size;
- if (rom_size > blk_getlength(blk)) {
- rom_size = blk_getlength(blk);
+ /* The block backend size should have already been 'validated' by
+ * the creation of the m25p80 object.
+ */
+ size = blk_getlength(blk);
+ if (size <= 0) {
+ error_setg(errp, "failed to get flash size");
+ return;
+ }
+
+ if (rom_size > size) {
+ rom_size = size;
}
storage = g_new0(uint8_t, rom_size);