acpi-fpdt: break on zero or negative length read

https://bugzilla.redhat.com/show_bug.cgi?id=1027478
2013-11-06 23:24:16 +01:00 · 2013-11-06 23:24:16 +01:00 · f576cd2092
parent fd201fda7d
commit f576cd2092
1 changed files with 2 additions and 0 deletions
--- a/src/shared/acpi-fpdt.c
+++ b/src/shared/acpi-fpdt.c
@ -109,6 +109,8 @@ int acpi_get_boot_usec(usec_t *loader_start, usec_t *loader_exit) {
        for (rec = (struct acpi_fpdt_header *)(buf + sizeof(struct acpi_table_header));
             (char *)rec < buf + l;
             rec = (struct acpi_fpdt_header *)((char *)rec + rec->length)) {
+                if (rec->length <= 0)
+                        break;
                if (rec->type != ACPI_FPDT_TYPE_BOOT)
                        continue;
                if (rec->length != sizeof(struct acpi_fpdt_header))