diff options
| author | Colin Watson <cjwatson@ubuntu.com> | 2010-10-20 21:23:02 +0200 |
|---|---|---|
| committer | Sebastian Herbszt <herbszt@gmx.de> | 2010-10-20 21:25:38 +0200 |
| commit | 778fcea7d4e3e2a595df0a18475d83d008216117 (patch) | |
| tree | a90df2ccb3bc687c67e11d4879100db17afc8e3e | |
| parent | 94fbd0b8d206102757cecd3dbd67cd701fb70470 (diff) | |
| download | syslinux-778fcea7d4e3e2a595df0a18475d83d008216117.tar.gz syslinux-778fcea7d4e3e2a595df0a18475d83d008216117.tar.xz syslinux-778fcea7d4e3e2a595df0a18475d83d008216117.zip | |
gfxboot: fix buffer overrun when loading kernel/initramfssyslinux-4.03
If the file size wasn't a multiple of 64KB, we could overwrite the next
entry in the malloc arena so reading the initramfs would fail.
Signed-off-by: Colin Watson <cjwatson@ubuntu.com>
Signed-off-by: Sebastian Herbszt <herbszt@gmx.de>
| -rw-r--r-- | com32/gfxboot/gfxboot.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/com32/gfxboot/gfxboot.c b/com32/gfxboot/gfxboot.c index 3b09e74a..2323f8ed 100644 --- a/com32/gfxboot/gfxboot.c +++ b/com32/gfxboot/gfxboot.c @@ -21,6 +21,7 @@ #include <fcntl.h> #include <sys/types.h> #include <sys/stat.h> +#include <minmax.h> #include <syslinux/loadfile.h> #include <syslinux/config.h> @@ -770,7 +771,7 @@ void *load_one(char *file, ssize_t *file_size) if(size) { buf = malloc(size); for(i = 1, cur = 0 ; cur < size && i > 0; cur += i) { - i = save_read(fd, buf + cur, CHUNK_SIZE); + i = save_read(fd, buf + cur, min(CHUNK_SIZE, size - cur)); if(i == -1) break; gfx_progress_update(i); } |