aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorColin Watson <cjwatson@ubuntu.com>2010-10-20 21:23:02 +0200
committerSebastian Herbszt <herbszt@gmx.de>2010-10-20 21:25:38 +0200
commit778fcea7d4e3e2a595df0a18475d83d008216117 (patch)
treea90df2ccb3bc687c67e11d4879100db17afc8e3e
parent94fbd0b8d206102757cecd3dbd67cd701fb70470 (diff)
downloadsyslinux-778fcea7d4e3e2a595df0a18475d83d008216117.tar.gz
syslinux-778fcea7d4e3e2a595df0a18475d83d008216117.tar.xz
syslinux-778fcea7d4e3e2a595df0a18475d83d008216117.zip
gfxboot: fix buffer overrun when loading kernel/initramfs
If the file size wasn't a multiple of 64KB, we could overwrite the next entry in the malloc arena so reading the initramfs would fail. Signed-off-by: Colin Watson <cjwatson@ubuntu.com> Signed-off-by: Sebastian Herbszt <herbszt@gmx.de>
-rw-r--r--com32/gfxboot/gfxboot.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/com32/gfxboot/gfxboot.c b/com32/gfxboot/gfxboot.c
index 3b09e74a..2323f8ed 100644
--- a/com32/gfxboot/gfxboot.c
+++ b/com32/gfxboot/gfxboot.c
@@ -21,6 +21,7 @@
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
+#include <minmax.h>
#include <syslinux/loadfile.h>
#include <syslinux/config.h>
@@ -770,7 +771,7 @@ void *load_one(char *file, ssize_t *file_size)
if(size) {
buf = malloc(size);
for(i = 1, cur = 0 ; cur < size && i > 0; cur += i) {
- i = save_read(fd, buf + cur, CHUNK_SIZE);
+ i = save_read(fd, buf + cur, min(CHUNK_SIZE, size - cur));
if(i == -1) break;
gfx_progress_update(i);
}