From ac63ddd70a5ccf5ebf790f06ea4cd4ed794c3978 Mon Sep 17 00:00:00 2001
From: Matthew Daley <mattjd@gmail.com>
Date: Fri, 14 Jun 2013 16:45:41 +0100
Subject: libxc: check blob size before proceeding in xc_dom_check_gzip

This is part of the fix to a security issue, XSA-55.

Signed-off-by: Matthew Daley <mattjd@gmail.com>
---
 tools/libxc/xc_dom_core.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c
index 3cbf9f791e..f8d1b08ba8 100644
--- a/tools/libxc/xc_dom_core.c
+++ b/tools/libxc/xc_dom_core.c
@@ -284,6 +284,11 @@ size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen)
     unsigned char *gzlen;
     size_t unziplen;
 
+    if ( ziplen < 6 )
+        /* Too small.  We need (i.e. the subsequent code relies on)
+         * 2 bytes for the magic number plus 4 bytes length. */
+        return 0;
+
     if ( strncmp(blob, "\037\213", 2) )
         /* not gzipped */
         return 0;
-- 
cgit v1.2.3