Per
https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538
The old API took the size of the memory to duplicate as a guint,
whereas most memory functions take memory sizes as a gsize. This
made it easy to accidentally pass a gsize to g_memdup(). For large
values, that would lead to a silent truncation of the size from 64
to 32 bits, and result in a heap area being returned which is
significantly smaller than what the caller expects. This can likely
be exploited in various modules to cause a heap buffer overflow.
Replace g_memdup() by the safer g_memdup2() wrapper.
Signed-off-by: Philippe Mathieu-Daudé <phi...@redhat.com>
---
softmmu/memory.c | 2 +-
softmmu/vl.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/softmmu/memory.c b/softmmu/memory.c
index bfedaf9c4df..1db019393b6 100644
--- a/softmmu/memory.c
+++ b/softmmu/memory.c
@@ -1140,7 +1140,7 @@ static char *memory_region_escape_name(const char *name)
bytes += memory_region_need_escape(*p) ? 4 : 1;
}
if (bytes == p - name) {
- return g_memdup(name, bytes + 1);
+ return g_memdup2(name, bytes + 1);
}
escaped = g_malloc(bytes + 1);
diff --git a/softmmu/vl.c b/softmmu/vl.c
index ea05bb39c50..7a44c63a6ad 100644
--- a/softmmu/vl.c
+++ b/softmmu/vl.c
@@ -1154,7 +1154,7 @@ static int parse_fw_cfg(void *opaque, QemuOpts *opts,
Error **errp)
}
if (nonempty_str(str)) {
size = strlen(str); /* NUL terminator NOT included in fw_cfg blob */
- buf = g_memdup(str, size);
+ buf = g_memdup2(str, size);
} else if (nonempty_str(gen_id)) {
if (!fw_cfg_add_from_generator(fw_cfg, name, gen_id, errp)) {
return -1;
--
2.31.1
