We mustn't assume qemu_realloc() returns the same pointer in
acpi_table_add(). Therefore, 'p' might be invalid if it's relative to
the old value of acpi_tables.
Signed-off-by: Eduard - Gabriel Munteanu <eduard.munteanu@xxxxxxxxxxx>
---
hw/acpi.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/hw/acpi.c b/hw/acpi.c
index d293127..7c4e8d3 100644
--- a/hw/acpi.c
+++ b/hw/acpi.c
@@ -857,7 +857,7 @@ int acpi_table_add(const char *t)
char buf[1024], *p, *f;
struct acpi_table_header acpi_hdr;
unsigned long val;
- size_t off;
+ size_t newlen, off;
memset(&acpi_hdr, 0, sizeof(acpi_hdr));
@@ -938,9 +938,10 @@ int acpi_table_add(const char *t)
acpi_tables_len = sizeof(uint16_t);
acpi_tables = qemu_mallocz(acpi_tables_len);
}
+ newlen = acpi_tables_len + sizeof(uint16_t) + acpi_hdr.length;
+ acpi_tables = qemu_realloc(acpi_tables, newlen);
p = acpi_tables + acpi_tables_len;
- acpi_tables_len += sizeof(uint16_t) + acpi_hdr.length;
- acpi_tables = qemu_realloc(acpi_tables, acpi_tables_len);
+ acpi_tables_len = newlen;
acpi_hdr.length = cpu_to_le32(acpi_hdr.length);
*(uint16_t*)p = acpi_hdr.length;
--
1.6.4.4
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
