From: Benjamin Herrenschmidt <b...@kernel.crashing.org>
load_image_targphys() gets passed a max size for the file, but
doesn't enforce it at all. Add a check and return -1 (error) if
the file is too big, without loading it.
Signed-off-by: Benjamin Herrenschmidt <b...@kernel.crashing.org>
Signed-off-by: David Gibson <da...@gibson.dropbear.id.au>
---
hw/loader.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/hw/loader.c b/hw/loader.c
index 446b628..7ad9e22 100644
--- a/hw/loader.c
+++ b/hw/loader.c
@@ -108,6 +108,8 @@ int load_image_targphys(const char *filename,
int size;
size = get_image_size(filename);
+ if (size > max_sz)
+ return -1;
if (size > 0)
rom_add_file_fixed(filename, addr, -1);
return size;
--
1.7.7.3
