From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:44970) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QNU2y-0000Qd-S2 for qemu-devel@nongnu.org; Fri, 20 May 2011 14:03:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QNU2x-0006m4-QU for qemu-devel@nongnu.org; Fri, 20 May 2011 14:03:36 -0400 Received: from mx1.redhat.com ([209.132.183.28]:64090) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QNU2x-0006lv-FW for qemu-devel@nongnu.org; Fri, 20 May 2011 14:03:35 -0400 Date: Fri, 20 May 2011 19:03:31 +0100 From: "Richard W.M. Jones" Message-ID: <20110520180331.GA21837@amd.home.annexia.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="WIyZ46R2i8wDzkSu" Content-Disposition: inline Subject: [Qemu-devel] [PATCH] qemu: json: Fix parsing of integers >= 0x8000000000000000 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Luiz Capitulino --WIyZ46R2i8wDzkSu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline There seem to be a few unsafe uses of strto* functions. This patch just fixes the one that affects me :-) Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into Xen guests. http://et.redhat.com/~rjones/virt-p2v --WIyZ46R2i8wDzkSu Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-json-Fix-parsing-of-integers-0x8000000000000000.patch" >>From 6d58224bff821c49e91f5fe46c0e72f85e2583c6 Mon Sep 17 00:00:00 2001 From: Richard W.M. Jones Date: Fri, 20 May 2011 18:55:12 +0100 Subject: [PATCH] json: Fix parsing of integers >= 0x8000000000000000 Because of use of strtoll without any error checking, these integers were truncated to [-0x8000000000000000, 0x7fffffffffffffff]. If you passed a high memory address to (eg.) memsave, it would get clipped. For example memsave with val = 0xffffffff81000000 would actually read from address 0x7fffffffffffffff. Replace strtoll with strtoull, and add error checking. --- json-parser.c | 11 ++++++++++- 1 files changed, 10 insertions(+), 1 deletions(-) diff --git a/json-parser.c b/json-parser.c index 6c06ef9..3747ba5 100644 --- a/json-parser.c +++ b/json-parser.c @@ -512,6 +512,8 @@ static QObject *parse_literal(JSONParserContext *ctxt, QList **tokens) { QObject *token, *obj; QList *working = qlist_copy(*tokens); + const char *token_str; + unsigned long long ull; token = qlist_pop(working); switch (token_get_type(token)) { @@ -519,7 +521,14 @@ static QObject *parse_literal(JSONParserContext *ctxt, QList **tokens) obj = QOBJECT(qstring_from_escaped_str(ctxt, token)); break; case JSON_INTEGER: - obj = QOBJECT(qint_from_int(strtoll(token_get_value(token), NULL, 10))); + token_str = token_get_value(token); + errno = 0; + ull = strtoull(token_str, NULL, 10); + if (errno != 0) { + parse_error(ctxt, token, "invalid integer: %s", strerror(errno)); + return NULL; + } + obj = QOBJECT(qint_from_int(ull)); break; case JSON_FLOAT: /* FIXME dependent on locale */ -- 1.7.5.1 --WIyZ46R2i8wDzkSu--