From 966070058d02cce9684e30073b61d6465e4b351c Mon Sep 17 00:00:00 2001
From: Matthew Daley <mattjd@gmail.com>
Date: Fri, 14 Jun 2013 16:39:38 +0100
Subject: libxc: check blob size before proceeding in xc_dom_check_gzip

This is part of the fix to a security issue, XSA-55.

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

v8: Add a comment explaining where the number 6 comes from.

v6: This patch is new in v6 of the series.
---
 tools/libxc/xc_dom_core.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'tools/libxc')

diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c
index 1a14d3c5ce..5f188c1321 100644
--- a/tools/libxc/xc_dom_core.c
+++ b/tools/libxc/xc_dom_core.c
@@ -284,6 +284,11 @@ size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen)
     unsigned char *gzlen;
     size_t unziplen;
 
+    if ( ziplen < 6 )
+        /* Too small.  We need (i.e. the subsequent code relies on)
+         * 2 bytes for the magic number plus 4 bytes length. */
+        return 0;
+
     if ( strncmp(blob, "\037\213", 2) )
         /* not gzipped */
         return 0;
-- 
cgit v1.2.3