diff options
| author | Pavel Holica <conscript89@gmail.com> | 2013-11-06 23:24:16 +0100 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2013-11-07 01:23:54 -0500 |
| commit | f576cd2092bc40f9998415cdc3caf10035d4743a (patch) | |
| tree | 64cfc91f6cc20d1eef34eaa25b0eb5dc559ad127 | |
| parent | fd201fda7d70f37c77db715562242afc7f8e0fdd (diff) | |
acpi-fpdt: break on zero or negative length read
https://bugzilla.redhat.com/show_bug.cgi?id=1027478
| -rw-r--r-- | src/shared/acpi-fpdt.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/shared/acpi-fpdt.c b/src/shared/acpi-fpdt.c index 75648b4d86..7bae47f85f 100644 --- a/src/shared/acpi-fpdt.c +++ b/src/shared/acpi-fpdt.c @@ -109,6 +109,8 @@ int acpi_get_boot_usec(usec_t *loader_start, usec_t *loader_exit) { for (rec = (struct acpi_fpdt_header *)(buf + sizeof(struct acpi_table_header)); (char *)rec < buf + l; rec = (struct acpi_fpdt_header *)((char *)rec + rec->length)) { + if (rec->length <= 0) + break; if (rec->type != ACPI_FPDT_TYPE_BOOT) continue; if (rec->length != sizeof(struct acpi_fpdt_header)) |