On Fri, 2025-01-24 at 08:20 -0500, Xiaoyao Li wrote:
> diff --git a/system/runstate.c b/system/runstate.c
> index 272801d30769..c4244c8915c6 100644
> --- a/system/runstate.c
> +++ b/system/runstate.c
> @@ -565,6 +565,60 @@ static void qemu_system_wakeup(void)
> }
> }
>
> +static char *tdx_parse_panic_message(char *message)
> +{
> + bool printable = false;
> + char *buf = NULL;
> + int len = 0, i;
> +
> + /*
> + * Although message is defined as a json string, we shouldn't
> + * unconditionally treat it as is because the guest generated it
> and
> + * it's not necessarily trustable.
> + */
> + if (message) {
> + /* The caller guarantees the NULL-terminated string. */
> + len = strlen(message);
> +
> + printable = len > 0;
> + for (i = 0; i < len; i++) {
> + if (!(0x20 <= message[i] && message[i] <= 0x7e)) {
> + printable = false;
> + break;
> + }
> + }
> + }
> +
> + if (len == 0) {
> + buf = g_malloc(1);
> + buf[0] = '\0';
> + } else {
> + if (!printable) {
> + /* 3 = length of "%02x " */
> + buf = g_malloc(len * 3);
> + for (i = 0; i < len; i++) {
> + if (message[i] == '\0') {
> + break;
> + } else {
> + sprintf(buf + 3 * i, "%02x ", message[i]);
> + }
> + }
> + if (i > 0) {
> + /* replace the last ' '(space) to NULL */
> + buf[i * 3 - 1] = '\0';
> + } else {
> + buf[0] = '\0';
> + }
> +
> + } else {
> + buf = g_malloc(len);
> + memcpy(buf, message, len);
This fails to null-terminate the message string in buf.
