[syslinux] [PATCH] gfxboot: fix buffer overrun when loadingkernel/initramfs
Sebastian Herbszt
herbszt at gmx.de
Thu Jul 15 05:54:19 PDT 2010
Colin Watson wrote:
> If the file size wasn't a multiple of 64KB, we could overwrite the next
> entry in the malloc arena so reading the initramfs would fail.
Can you please describe how to reproduce the problem you're facing?
> Signed-off-by: Colin Watson <cjwatson at ubuntu.com>
> ---
> com32/gfxboot/gfxboot.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/com32/gfxboot/gfxboot.c b/com32/gfxboot/gfxboot.c
> index dd4d641..0fbfadd 100644
> --- a/com32/gfxboot/gfxboot.c
> +++ b/com32/gfxboot/gfxboot.c
> @@ -21,6 +21,7 @@
> #include <fcntl.h>
> #include <sys/types.h>
> #include <sys/stat.h>
> +#include <minmax.h>
>
> #include <syslinux/loadfile.h>
> #include <syslinux/config.h>
> @@ -749,7 +750,7 @@ void *load_one(char *file, ssize_t *file_size)
> if(size) {
> buf = malloc(size);
> for(i = 1, cur = 0 ; cur < size && i > 0; cur += i) {
> - i = save_read(fd, buf + cur, CHUNK_SIZE);
> + i = save_read(fd, buf + cur, min(CHUNK_SIZE, size - cur));
If there are fewer bytes to read (e.g. size-cur) than we request (CHUNK_SIZE) the
read() call should return the fewer bytes (i == size-cur) and not overrun buf.
> if(i == -1) break;
> gfx_progress_update(i);
> }
> --
> 1.7.1
Sebastian
More information about the Syslinux
mailing list