A bug in console.c causes heap corruption when qemu is started without
a graphical console (-nographic). In this case, the console height and
width are both 0, resulting in allocation of a zero-length cells
array.
Heap corruption is caused by code that assumes the cells array always
has at least one element. The attached patch avoids this problem
simply by making the cells array one byte larger than necessary, i.e.
length 1 in the -nographic case.
--Ed
diff -burN qemu-snapshot-2006-03-27_23.orig/console.c qemu-snapshot-2006-03-27_23/console.c
--- qemu-snapshot-2006-03-27_23.orig/console.c 2006-03-11 07:35:30.000000000 -0800
+++ qemu-snapshot-2006-03-27_23/console.c 2006-04-06 00:25:41.000000000 -0700
@@ -407,7 +407,8 @@
if (s->width < w1)
w1 = s->width;
- cells = qemu_malloc(s->width * s->total_height * sizeof(TextCell));
+ cells = qemu_malloc((s->width * s->total_height + 1) * sizeof(TextCell));
+ /* Add one extra in case s->width is 0, so we can still store one character. */
for(y = 0; y < s->total_height; y++) {
c = &cells[y * s->width];
if (w1 > 0) {
_______________________________________________
Qemu-devel mailing list
Qemu-devel@nongnu.org
http://lists.nongnu.org/mailman/listinfo/qemu-devel
