aboutsummaryrefslogtreecommitdiff
path: root/hw/usb
diff options
context:
space:
mode:
Diffstat (limited to 'hw/usb')
-rw-r--r--hw/usb/dev-mtp.c11
1 files changed, 9 insertions, 2 deletions
diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index ebf210fbf8..99548b012d 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -1699,12 +1699,19 @@ static void usb_mtp_write_metadata(MTPState *s, uint64_t dlen)
MTPObject *o;
MTPObject *p = usb_mtp_object_lookup(s, s->dataset.parent_handle);
uint32_t next_handle = s->next_handle;
+ size_t filename_chars = dlen - offsetof(ObjectInfo, filename);
+
+ /*
+ * filename is utf-16. We're intentionally doing
+ * integer division to truncate if malicious guest
+ * sent an odd number of bytes.
+ */
+ filename_chars /= 2;
assert(!s->write_pending);
assert(p != NULL);
- filename = utf16_to_str(MIN(dataset->length,
- dlen - offsetof(ObjectInfo, filename)),
+ filename = utf16_to_str(MIN(dataset->length, filename_chars),
dataset->filename);
if (strchr(filename, '/')) {
generated by cgit v1.2.3 (git 2.26.2) at 2025-01-14 11:05:37 +0000