From patchwork Thu Feb 9 13:47:35 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?C=C3=A9dric_Le_Goater?= X-Patchwork-Id: 726104 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3vJzxD4cJ4z9s7J for ; Fri, 10 Feb 2017 00:50:40 +1100 (AEDT) Received: from localhost ([::1]:38022 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cbp7O-0005jk-55 for incoming@patchwork.ozlabs.org; Thu, 09 Feb 2017 08:50:38 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47486) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cbp5n-0004Wz-MK for qemu-devel@nongnu.org; Thu, 09 Feb 2017 08:49:00 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cbp5m-0001Zb-S2 for qemu-devel@nongnu.org; Thu, 09 Feb 2017 08:48:59 -0500 Received: from 9.mo53.mail-out.ovh.net ([87.98.186.128]:34046) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cbp5m-0001U4-MP for qemu-devel@nongnu.org; Thu, 09 Feb 2017 08:48:58 -0500 Received: from player158.ha.ovh.net (b7.ovh.net [213.186.33.57]) by mo53.mail-out.ovh.net (Postfix) with ESMTP id 2861F3843C for ; Thu, 9 Feb 2017 14:48:51 +0100 (CET) Received: from zorba.kaod.org.com (dslb-088-064-225-204.088.064.pools.vodafone-ip.de [88.64.225.204]) (Authenticated sender: clg@kaod.org) by player158.ha.ovh.net (Postfix) with ESMTPSA id C225562008C; Thu, 9 Feb 2017 14:48:45 +0100 (CET) From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= To: Peter Maydell Date: Thu, 9 Feb 2017 14:47:35 +0100 Message-Id: <1486648058-520-2-git-send-email-clg@kaod.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1486648058-520-1-git-send-email-clg@kaod.org> References: <1486648058-520-1-git-send-email-clg@kaod.org> MIME-Version: 1.0 X-Ovh-Tracer-Id: 8305482140767390481 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrfeelgedrkeehgddvkecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 87.98.186.128 Subject: [Qemu-devel] [PATCH 1/4] aspeed: check for negative values returned by blk_getlength() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= , qemu-arm@nongnu.org, qemu-devel@nongnu.org, Peter Crosthwaite Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" write_boot_rom() does not check for negative values. This is more a problem for coverity than the actual code as the size of the flash device is checked when the m25p80 object is created. If there is anything wrong with the backing file, we should not even reach that path. Signed-off-by: Cédric Le Goater --- hw/arm/aspeed.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c index a92c2f1c362b..ac9cbd66b72a 100644 --- a/hw/arm/aspeed.c +++ b/hw/arm/aspeed.c @@ -113,9 +113,19 @@ static void write_boot_rom(DriveInfo *dinfo, hwaddr addr, size_t rom_size, { BlockBackend *blk = blk_by_legacy_dinfo(dinfo); uint8_t *storage; + int64_t size; - if (rom_size > blk_getlength(blk)) { - rom_size = blk_getlength(blk); + /* The block backend size should have already been 'validated' by + * the creation of the m25p80 object. + */ + size = blk_getlength(blk); + if (size <= 0) { + error_setg(errp, "failed to get flash size"); + return; + } + + if (rom_size > size) { + rom_size = size; } storage = g_new0(uint8_t, rom_size);