liujunjie <[email protected]> writes: > qstring_from_substr() parameters @start and @end are of type int. > blkdebug_parse_filename(), blkverify_parse_filename(), nbd_parse_uri(), > and qstring_from_str() pass @end values of type size_t or ptrdiff_t. > Values exceeding INT_MAX get truncated, with possibly disastrous > results. > > Such huge substrings seem unlikely, but we found one in a core dump, > where "info tlb" executed via QMP's human-monitor-command apparently > produced 35 GiB of output. > > Fix by changing the parameters size_t. > > Signed-off-by: liujunjie <[email protected]> > --- > include/qapi/qmp/qstring.h | 2 +- > qobject/qstring.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/include/qapi/qmp/qstring.h b/include/qapi/qmp/qstring.h > index b3b3d44..3e83e3a 100644 > --- a/include/qapi/qmp/qstring.h > +++ b/include/qapi/qmp/qstring.h > @@ -24,7 +24,7 @@ struct QString { > > QString *qstring_new(void); > QString *qstring_from_str(const char *str); > -QString *qstring_from_substr(const char *str, int start, int end); > +QString *qstring_from_substr(const char *str, size_t start, size_t end); > size_t qstring_get_length(const QString *qstring); > const char *qstring_get_str(const QString *qstring); > const char *qstring_get_try_str(const QString *qstring); > diff --git a/qobject/qstring.c b/qobject/qstring.c > index afca54b..18b8eb8 100644 > --- a/qobject/qstring.c > +++ b/qobject/qstring.c > @@ -37,7 +37,7 @@ size_t qstring_get_length(const QString *qstring) > * > * Return string reference > */ > -QString *qstring_from_substr(const char *str, int start, int end) > +QString *qstring_from_substr(const char *str, size_t start, size_t end) > { > QString *qstring;
Reviewed-by: Markus Armbruster <[email protected]>
