eif: cope with huge section offsets

Check for overflow to avoid that fseek() receives a sign-extended value. Cc: Dorjoy Chowdhury <dorjoychy111@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
author: Paolo Bonzini <pbonzini@redhat.com> 2024-11-05 13:53:55 +0100
committer: Paolo Bonzini <pbonzini@redhat.com> 2024-11-07 16:54:02 +0100
commit: 619d144751e6685b24ded9029fe9c484c0494c30 (patch)
tree: 75788eb1f3e576a92b5c5d0c678cfda67e1df0d4 /hw/core/eif.c
parent: 8fa11a4df344f58375eb26b3b65004345f21ef37 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/core/eif.c b/hw/core/eif.c
index 7f3b2edc9a..61329aacfe 100644
--- a/hw/core/eif.c
+++ b/hw/core/eif.c
@@ -466,6 +466,10 @@ bool read_eif_file(const char *eif_path, const char *machine_initrd,
         EifSectionHeader hdr;
         uint16_t section_type;
 
+        if (eif_header.section_offsets[i] > OFF_MAX) {
+            error_setg(errp, "Invalid EIF image. Section offset out of bounds");
+            goto cleanup;
+        }
         if (fseek(f, eif_header.section_offsets[i], SEEK_SET) != 0) {
             error_setg_errno(errp, errno, "Failed to offset to %" PRIu64 " in EIF file",
                              eif_header.section_offsets[i]);
author	Paolo Bonzini <pbonzini@redhat.com>	2024-11-05 13:53:55 +0100
committer	Paolo Bonzini <pbonzini@redhat.com>	2024-11-07 16:54:02 +0100
commit	619d144751e6685b24ded9029fe9c484c0494c30 (patch)
tree	75788eb1f3e576a92b5c5d0c678cfda67e1df0d4 /hw/core/eif.c
parent	8fa11a4df344f58375eb26b3b65004345f21ef37 (diff)