aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Weil <sw@weilnetz.de>2013-09-30 23:04:49 +0200
committerMichael Tokarev <mjt@tls.msk.ru>2013-10-05 13:05:15 +0400
commit49aa4058ac6dd0081aaa45776f07c98df397ca5e (patch)
tree810fdef3de54da503f6bd3207fc7728bb1724f8c
parent4b351a0f212769deda960da44e299f44d5da0737 (diff)
qemu-char: Fix potential out of bounds access to local arrays
Latest gcc-4.8 supports a new option -fsanitize=address which activates an AddressSanitizer. This AddressSanitizer stops the QEMU system emulation very early because two character arrays of size 8 are potentially written with 9 bytes. Commit 6ea314d91439741e95772dfbab98b4135e04bebb added the code. There is no obvious reason why width or height could need 8 characters, so reduce it to 7 characters which together with the terminating '\0' fit into the arrays. Cc: qemu-stable <qemu-stable@nongnu.org> Signed-off-by: Stefan Weil <sw@weilnetz.de> Reviewed-by: Alex Bennée <alex@bennee.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-rw-r--r--qemu-char.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/qemu-char.c b/qemu-char.c
index f7f5464b67..6d393e6a1b 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -2989,11 +2989,11 @@ QemuOpts *qemu_chr_parse_compat(const char *label, const char *filename)
if (strstart(filename, "vc", &p)) {
qemu_opt_set(opts, "backend", "vc");
if (*p == ':') {
- if (sscanf(p+1, "%8[0-9]x%8[0-9]", width, height) == 2) {
+ if (sscanf(p+1, "%7[0-9]x%7[0-9]", width, height) == 2) {
/* pixels */
qemu_opt_set(opts, "width", width);
qemu_opt_set(opts, "height", height);
- } else if (sscanf(p+1, "%8[0-9]Cx%8[0-9]C", width, height) == 2) {
+ } else if (sscanf(p+1, "%7[0-9]Cx%7[0-9]C", width, height) == 2) {
/* chars */
qemu_opt_set(opts, "cols", width);
qemu_opt_set(opts, "rows", height);