[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [qemu-upstream-unstable] qemu-char: Fix potential out of bounds access to local arrays

commit 78bd79fac33a56156d1d05a7f0547a0b7c282225
Author:     Stefan Weil <sw@xxxxxxxxxxx>
AuthorDate: Mon Sep 30 23:04:49 2013 +0200
Commit:     Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
CommitDate: Mon Dec 2 21:43:54 2013 -0600

    qemu-char: Fix potential out of bounds access to local arrays
    Latest gcc-4.8 supports a new option -fsanitize=address which activates
    an AddressSanitizer. This AddressSanitizer stops the QEMU system emulation
    very early because two character arrays of size 8 are potentially written
    with 9 bytes.
    Commit 6ea314d91439741e95772dfbab98b4135e04bebb added the code.
    There is no obvious reason why width or height could need 8 characters,
    so reduce it to 7 characters which together with the terminating '\0'
    fit into the arrays.
    Cc: qemu-stable <qemu-stable@xxxxxxxxxx>
    Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
    Reviewed-by: Alex Bennée <alex@xxxxxxxxxx>
    Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>
    (cherry picked from commit 49aa4058ac6dd0081aaa45776f07c98df397ca5e)
    Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
 qemu-char.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/qemu-char.c b/qemu-char.c
index fc1c23d..649c9f9 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -2969,11 +2969,11 @@ QemuOpts *qemu_chr_parse_compat(const char *label, 
const char *filename)
     if (strstart(filename, "vc", &p)) {
         qemu_opt_set(opts, "backend", "vc");
         if (*p == ':') {
-            if (sscanf(p+1, "%8[0-9]x%8[0-9]", width, height) == 2) {
+            if (sscanf(p+1, "%7[0-9]x%7[0-9]", width, height) == 2) {
                 /* pixels */
                 qemu_opt_set(opts, "width", width);
                 qemu_opt_set(opts, "height", height);
-            } else if (sscanf(p+1, "%8[0-9]Cx%8[0-9]C", width, height) == 2) {
+            } else if (sscanf(p+1, "%7[0-9]Cx%7[0-9]C", width, height) == 2) {
                 /* chars */
                 qemu_opt_set(opts, "cols", width);
                 qemu_opt_set(opts, "rows", height);
generated by git-patchbot for /home/xen/git/qemu-upstream-unstable.git

Xen-changelog mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.