From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:53922)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dgibson@ozlabs.org>) id 1RlDUr-0006V6-4B
	for qemu-devel@nongnu.org; Thu, 12 Jan 2012 00:46:46 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <dgibson@ozlabs.org>) id 1RlDUp-0001ub-GU
	for qemu-devel@nongnu.org; Thu, 12 Jan 2012 00:46:44 -0500
From: David Gibson <david@gibson.dropbear.id.au>
Date: Thu, 12 Jan 2012 16:46:20 +1100
Message-Id: <1326347188-12119-2-git-send-email-david@gibson.dropbear.id.au>
In-Reply-To: <1326347188-12119-1-git-send-email-david@gibson.dropbear.id.au>
References: <1326347188-12119-1-git-send-email-david@gibson.dropbear.id.au>
Subject: [Qemu-devel] [PATCH 1/9] load_image_targphys() should enforce the
	max size
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: agraf@suse.de
Cc: qemu-ppc@nongnu.org, qemu-devel@nongnu.org

From: Benjamin Herrenschmidt <benh@kernel.crashing.org>

load_image_targphys() gets passed a max size for the file, but doesn't
enforce it at all. Add a check and return -1 (error) if the file is
too big, without loading it.  Fix the bracing style in the function
while we're at it.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 hw/loader.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/hw/loader.c b/hw/loader.c
index 446b628..415cdce 100644
--- a/hw/loader.c
+++ b/hw/loader.c
@@ -108,8 +108,12 @@ int load_image_targphys(const char *filename,
     int size;
 
     size = get_image_size(filename);
-    if (size > 0)
+    if (size > max_sz) {
+        return -1;
+    }
+    if (size > 0) {
         rom_add_file_fixed(filename, addr, -1);
+    }
     return size;
 }
 
-- 
1.7.7.3