From: Michael S. Tsirkin <mst@redhat.com>
Date: Sun, 1 Feb 2015 09:54:26 +0000 (+0200)
Subject: bios linker: validate pointer within table
X-Git-Tag: TizenStudio_2.0_p2.3.2~208^2~320^2~128
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=12e63900f01ce54702745d83f985e26042adda9b;p=sdk%2Femulator%2Fqemu.git

bios linker: validate pointer within table

buios linker assumes pointer parameter it gets
is within table, validate this.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---

diff --git a/hw/acpi/bios-linker-loader.c b/hw/acpi/bios-linker-loader.c
index 5cc4d90..d9382f8 100644
--- a/hw/acpi/bios-linker-loader.c
+++ b/hw/acpi/bios-linker-loader.c
@@ -141,6 +141,7 @@ void bios_linker_loader_add_pointer(GArray *linker,
                                     uint8_t pointer_size)
 {
     BiosLinkerLoaderEntry entry;
+    size_t offset = (gchar *)pointer - table->data;
 
     memset(&entry, 0, sizeof entry);
     strncpy(entry.pointer.dest_file, dest_file,
@@ -148,7 +149,8 @@ void bios_linker_loader_add_pointer(GArray *linker,
     strncpy(entry.pointer.src_file, src_file,
             sizeof entry.pointer.src_file - 1);
     entry.command = cpu_to_le32(BIOS_LINKER_LOADER_COMMAND_ADD_POINTER);
-    entry.pointer.offset = cpu_to_le32((gchar *)pointer - table->data);
+    assert(table->len >= offset + pointer_size);
+    entry.pointer.offset = cpu_to_le32(offset);
     entry.pointer.size = pointer_size;
     assert(pointer_size == 1 || pointer_size == 2 ||
            pointer_size == 4 || pointer_size == 8);