strtoul(l) might overflow, in which case it'll return '-1' and set the appropriate error code. So update the calls to strtoul(l) when parsing hex properties to avoid silent overflows.
Signed-off-by: Hannes Reinecke <[email protected]> --- hw/core/qdev-properties.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c index dc8ae69..4891a01 100644 --- a/hw/core/qdev-properties.c +++ b/hw/core/qdev-properties.c @@ -191,6 +191,7 @@ PropertyInfo qdev_prop_uint8 = { static int parse_hex8(DeviceState *dev, Property *prop, const char *str) { + unsigned long val; uint8_t *ptr = qdev_get_prop_ptr(dev, prop); char *end; @@ -198,11 +199,18 @@ static int parse_hex8(DeviceState *dev, Property *prop, const char *str) return -EINVAL; } - *ptr = strtoul(str, &end, 16); + errno = 0; + val = strtoul(str, &end, 16); + if (errno) { + return -errno; + } + if (val > 255) { + return -ERANGE; + } if ((*end != '\0') || (end == str)) { return -EINVAL; } - + *ptr = val; return 0; } @@ -329,7 +337,11 @@ static int parse_hex32(DeviceState *dev, Property *prop, const char *str) return -EINVAL; } + errno = 0; *ptr = strtoul(str, &end, 16); + if (errno) { + return -errno; + } if ((*end != '\0') || (end == str)) { return -EINVAL; } @@ -396,7 +408,11 @@ static int parse_hex64(DeviceState *dev, Property *prop, const char *str) return -EINVAL; } + errno = 0; *ptr = strtoull(str, &end, 16); + if (errno) { + return -errno; + } if ((*end != '\0') || (end == str)) { return -EINVAL; } -- 1.8.1.4
