[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 09/32] qemu-char: Fix potential out of bounds acces
|
From: |
Michael Roth |
|
Subject: |
[Qemu-stable] [PATCH 09/32] qemu-char: Fix potential out of bounds access to local arrays |
|
Date: |
Wed, 4 Dec 2013 08:34:16 -0600 |
From: Stefan Weil <address@hidden>
Latest gcc-4.8 supports a new option -fsanitize=address which activates
an AddressSanitizer. This AddressSanitizer stops the QEMU system emulation
very early because two character arrays of size 8 are potentially written
with 9 bytes.
Commit 6ea314d91439741e95772dfbab98b4135e04bebb added the code.
There is no obvious reason why width or height could need 8 characters,
so reduce it to 7 characters which together with the terminating '\0'
fit into the arrays.
Cc: qemu-stable <address@hidden>
Signed-off-by: Stefan Weil <address@hidden>
Reviewed-by: Alex Bennée <address@hidden>
Signed-off-by: Michael Tokarev <address@hidden>
(cherry picked from commit 49aa4058ac6dd0081aaa45776f07c98df397ca5e)
Signed-off-by: Michael Roth <address@hidden>
---
qemu-char.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/qemu-char.c b/qemu-char.c
index fc1c23d..649c9f9 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -2969,11 +2969,11 @@ QemuOpts *qemu_chr_parse_compat(const char *label,
const char *filename)
if (strstart(filename, "vc", &p)) {
qemu_opt_set(opts, "backend", "vc");
if (*p == ':') {
- if (sscanf(p+1, "%8[0-9]x%8[0-9]", width, height) == 2) {
+ if (sscanf(p+1, "%7[0-9]x%7[0-9]", width, height) == 2) {
/* pixels */
qemu_opt_set(opts, "width", width);
qemu_opt_set(opts, "height", height);
- } else if (sscanf(p+1, "%8[0-9]Cx%8[0-9]C", width, height) == 2) {
+ } else if (sscanf(p+1, "%7[0-9]Cx%7[0-9]C", width, height) == 2) {
/* chars */
qemu_opt_set(opts, "cols", width);
qemu_opt_set(opts, "rows", height);
--
1.7.9.5
- [Qemu-stable] Patch Round-up for stable 1.6.2, freeze on 2013-12-06, Michael Roth, 2013/12/04
- [Qemu-stable] [PATCH 02/32] char: use common function to disable callbacks on chardev close, Michael Roth, 2013/12/04
- [Qemu-stable] [PATCH 05/32] tests: Update .gitignore for test-int128 and test-bitops, Michael Roth, 2013/12/04
- [Qemu-stable] [PATCH 01/32] char: move backends' io watch tag to CharDriverState, Michael Roth, 2013/12/04
- [Qemu-stable] [PATCH 04/32] tests: Fix schema parser test for in-tree build, Michael Roth, 2013/12/04
- [Qemu-stable] [PATCH 03/32] char: remove watch callback on chardev detach from frontend, Michael Roth, 2013/12/04
- [Qemu-stable] [PATCH 08/32] misc: Use new rotate functions, Michael Roth, 2013/12/04
- [Qemu-stable] [PATCH 06/32] tci: Add implementation of rotl_i64, rotr_i64, Michael Roth, 2013/12/04
- [Qemu-stable] [PATCH 07/32] bitops: Add rotate functions (rol8, ror8, ...), Michael Roth, 2013/12/04
- [Qemu-stable] [PATCH 09/32] qemu-char: Fix potential out of bounds access to local arrays,
Michael Roth <=
- [Qemu-stable] [PATCH 32/32] rng-egd: offset the point when repeatedly read from the buffer, Michael Roth, 2013/12/04
- [Qemu-stable] [PATCH 31/32] pci: unregister vmstate_pcibus on unplug, Michael Roth, 2013/12/04
- [Qemu-stable] [PATCH 30/32] qdev-monitor: Unref device when device_add fails, Michael Roth, 2013/12/04
- [Qemu-stable] [PATCH 26/32] vfio-pci: Fix multifunction=on, Michael Roth, 2013/12/04
- [Qemu-stable] [PATCH 28/32] qom: Fix memory leak in object_property_set_link(), Michael Roth, 2013/12/04
- [Qemu-stable] [PATCH 29/32] qdev-monitor: Fix crash when device_add is called with abstract driver, Michael Roth, 2013/12/04
- [Qemu-stable] [PATCH 10/32] xen_disk: mark ioreq as mapped before unmapping in error case, Michael Roth, 2013/12/04
- [Qemu-stable] [PATCH 27/32] virtio-net: fix the memory leak in rxfilter_notify(), Michael Roth, 2013/12/04
- [Qemu-stable] [PATCH 25/32] qcow2: fix possible corruption when reading multiple clusters, Michael Roth, 2013/12/04
- [Qemu-stable] [PATCH 21/32] virtio-net: only delete bh that existed, Michael Roth, 2013/12/04