[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 10/14] qemu-char: Fix potential out of bounds access
|
From: |
Michael Tokarev |
|
Subject: |
[Qemu-devel] [PULL 10/14] qemu-char: Fix potential out of bounds access to local arrays |
|
Date: |
Sun, 6 Oct 2013 13:32:55 +0400 |
From: Stefan Weil <address@hidden>
Latest gcc-4.8 supports a new option -fsanitize=address which activates
an AddressSanitizer. This AddressSanitizer stops the QEMU system emulation
very early because two character arrays of size 8 are potentially written
with 9 bytes.
Commit 6ea314d91439741e95772dfbab98b4135e04bebb added the code.
There is no obvious reason why width or height could need 8 characters,
so reduce it to 7 characters which together with the terminating '\0'
fit into the arrays.
Cc: qemu-stable <address@hidden>
Signed-off-by: Stefan Weil <address@hidden>
Reviewed-by: Alex Bennée <address@hidden>
Signed-off-by: Michael Tokarev <address@hidden>
---
qemu-char.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/qemu-char.c b/qemu-char.c
index f7f5464..6d393e6 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -2989,11 +2989,11 @@ QemuOpts *qemu_chr_parse_compat(const char *label,
const char *filename)
if (strstart(filename, "vc", &p)) {
qemu_opt_set(opts, "backend", "vc");
if (*p == ':') {
- if (sscanf(p+1, "%8[0-9]x%8[0-9]", width, height) == 2) {
+ if (sscanf(p+1, "%7[0-9]x%7[0-9]", width, height) == 2) {
/* pixels */
qemu_opt_set(opts, "width", width);
qemu_opt_set(opts, "height", height);
- } else if (sscanf(p+1, "%8[0-9]Cx%8[0-9]C", width, height) == 2) {
+ } else if (sscanf(p+1, "%7[0-9]Cx%7[0-9]C", width, height) == 2) {
/* chars */
qemu_opt_set(opts, "cols", width);
qemu_opt_set(opts, "rows", height);
--
1.7.10.4
- [Qemu-devel] [PULL 00/14] Trivial patches for 2013-10-06, Michael Tokarev, 2013/10/06
- [Qemu-devel] [PULL 02/14] tests: Update .gitignore for test-int128 and test-bitops, Michael Tokarev, 2013/10/06
- [Qemu-devel] [PULL 08/14] sh4: Fix serial line access for Linux kernels later than 3.2, Michael Tokarev, 2013/10/06
- [Qemu-devel] [PULL 06/14] target-i386: Fix compiler warning (integer constant is too large), Michael Tokarev, 2013/10/06
- [Qemu-devel] [PULL 03/14] tests: Fix schema parser test for in-tree build, Michael Tokarev, 2013/10/06
- [Qemu-devel] [PULL 14/14] migration: Fix compiler warning ('caps' may be used uninitialized), Michael Tokarev, 2013/10/06
- [Qemu-devel] [PULL 12/14] hw/9pfs: Fix errno value for xattr functions, Michael Tokarev, 2013/10/06
- [Qemu-devel] [PULL 11/14] vl: Clean up unnecessary boot_order complications, Michael Tokarev, 2013/10/06
- [Qemu-devel] [PULL 05/14] block: Remove unused assignment (fixes warning from clang), Michael Tokarev, 2013/10/06
- [Qemu-devel] [PULL 01/14] .gitignore: ignore tests/qemu-iotests/socket_scm_helper, Michael Tokarev, 2013/10/06
- [Qemu-devel] [PULL 10/14] qemu-char: Fix potential out of bounds access to local arrays,
Michael Tokarev <=
- [Qemu-devel] [PULL 09/14] pci-ohci: Add missing 'break' in ohci_service_td, Michael Tokarev, 2013/10/06
- [Qemu-devel] [PULL 04/14] exec: cleanup DEBUG_SUBPAGE, Michael Tokarev, 2013/10/06
- [Qemu-devel] [PULL 07/14] hw/alpha: Fix compiler warning (integer constant is too large), Michael Tokarev, 2013/10/06
- [Qemu-devel] [PULL 13/14] util/path: Fix type which is longer than 8 bit for MinGW, Michael Tokarev, 2013/10/06