Check for overflow to avoid that fseek() receives a sign-extended value.
Cc: Dorjoy Chowdhury <dorjoychy...@gmail.com>
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
---
include/qemu/osdep.h | 4 ++++
hw/core/eif.c | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
index fe7c3c5f673..fdff07fd992 100644
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@@ -297,6 +297,10 @@ void QEMU_ERROR("code path is reachable")
#error building with G_DISABLE_ASSERT is not supported
#endif
+#ifndef OFF_MAX
+#define OFF_MAX (sizeof (off_t) == 8 ? INT64_MAX : INT32_MAX)
+#endif
+
#ifndef O_LARGEFILE
#define O_LARGEFILE 0
#endif
diff --git a/hw/core/eif.c b/hw/core/eif.c
index 7f3b2edc9a7..61329aacfe1 100644
--- a/hw/core/eif.c
+++ b/hw/core/eif.c
@@ -466,6 +466,10 @@ bool read_eif_file(const char *eif_path, const char
*machine_initrd,
EifSectionHeader hdr;
uint16_t section_type;
+ if (eif_header.section_offsets[i] > OFF_MAX) {
+ error_setg(errp, "Invalid EIF image. Section offset out of
bounds");
+ goto cleanup;
+ }
if (fseek(f, eif_header.section_offsets[i], SEEK_SET) != 0) {
error_setg_errno(errp, errno, "Failed to offset to %" PRIu64 " in
EIF file",
eif_header.section_offsets[i]);
--
2.47.0
