aboutsummaryrefslogtreecommitdiff
path: root/hw/loader.c
diff options
context:
space:
mode:
authorMarkus Armbruster <armbru@redhat.com>2011-11-16 19:41:56 +0100
committerBlue Swirl <blauwirbel@gmail.com>2011-11-19 11:23:42 +0000
commit725e14e91f80b6b2c07b75b66b7b042a9fa9340c (patch)
tree093a3bfc53e586113b29cd69702cf8b9150f9c4b /hw/loader.c
parent96d922a654f4b5a806af43d6dc6fa7c1becbbac6 (diff)
downloadqemu-725e14e91f80b6b2c07b75b66b7b042a9fa9340c.zip
qemu-725e14e91f80b6b2c07b75b66b7b042a9fa9340c.tar.gz
qemu-725e14e91f80b6b2c07b75b66b7b042a9fa9340c.tar.bz2
loader: Fix read_targphys() to behave when read() fails
Happily passes (size_t)-1 to rom_add_blob_fixed(), which promptly dies attempting to malloc that much. Spotted by Coverity. Bonus fix for ROMs larger than INT_MAX bytes: return ssize_t instead of int. Bug can't bite, because the only user load_aout() limits ROM size to an int value. Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
Diffstat (limited to 'hw/loader.c')
-rw-r--r--hw/loader.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/hw/loader.c b/hw/loader.c
index 5676c18..9bbcddd 100644
--- a/hw/loader.c
+++ b/hw/loader.c
@@ -85,11 +85,11 @@ int load_image(const char *filename, uint8_t *addr)
}
/* read()-like version */
-int read_targphys(const char *name,
- int fd, target_phys_addr_t dst_addr, size_t nbytes)
+ssize_t read_targphys(const char *name,
+ int fd, target_phys_addr_t dst_addr, size_t nbytes)
{
uint8_t *buf;
- size_t did;
+ ssize_t did;
buf = g_malloc(nbytes);
did = read(fd, buf, nbytes);
@@ -176,7 +176,8 @@ static void bswap_ahdr(struct exec *e)
int load_aout(const char *filename, target_phys_addr_t addr, int max_sz,
int bswap_needed, target_phys_addr_t target_page_size)
{
- int fd, size, ret;
+ int fd;
+ ssize_t size, ret;
struct exec e;
uint32_t magic;