eif: cope with huge section offsets

Check for overflow to avoid that fseek() receives a sign-extended value.

Cc: Dorjoy Chowdhury <dorjoychy111@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
Paolo Bonzini 2024-11-05 13:53:55 +01:00
parent 8fa11a4df3
commit 619d144751
2 changed files with 8 additions and 0 deletions

View File

@ -466,6 +466,10 @@ bool read_eif_file(const char *eif_path, const char *machine_initrd,
EifSectionHeader hdr; EifSectionHeader hdr;
uint16_t section_type; uint16_t section_type;
if (eif_header.section_offsets[i] > OFF_MAX) {
error_setg(errp, "Invalid EIF image. Section offset out of bounds");
goto cleanup;
}
if (fseek(f, eif_header.section_offsets[i], SEEK_SET) != 0) { if (fseek(f, eif_header.section_offsets[i], SEEK_SET) != 0) {
error_setg_errno(errp, errno, "Failed to offset to %" PRIu64 " in EIF file", error_setg_errno(errp, errno, "Failed to offset to %" PRIu64 " in EIF file",
eif_header.section_offsets[i]); eif_header.section_offsets[i]);

View File

@ -297,6 +297,10 @@ void QEMU_ERROR("code path is reachable")
#error building with G_DISABLE_ASSERT is not supported #error building with G_DISABLE_ASSERT is not supported
#endif #endif
#ifndef OFF_MAX
#define OFF_MAX (sizeof (off_t) == 8 ? INT64_MAX : INT32_MAX)
#endif
#ifndef O_LARGEFILE #ifndef O_LARGEFILE
#define O_LARGEFILE 0 #define O_LARGEFILE 0
#endif #endif