[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v4] aarch64: Allow -kernel option to take a gzip
From: |
Peter Maydell |
Subject: |
Re: [Qemu-devel] [PATCH v4] aarch64: Allow -kernel option to take a gzip-compressed kernel. |
Date: |
Mon, 4 Aug 2014 09:52:48 +0100 |
On 4 August 2014 09:48, Richard W.M. Jones <address@hidden> wrote:
> On Mon, Aug 04, 2014 at 09:05:39AM +1000, Peter Crosthwaite wrote:
>> On Sun, Aug 3, 2014 at 1:45 AM, Richard W.M. Jones <address@hidden> wrote:
>> > + max_bytes = UBOOT_MAX_GUNZIP_BYTES;
>>
>> Why does u-boot's maximum size limit apply here?
>
> We need some maximum to prevent people uploading a kernel (perhaps
> from an untrusted source) which is some sort of malicious gzip file
> that expands to a huge size.
If we care about malicious zipfiles we should probably fix the bits
in gunzip() which trust the gzip header more than they should...
thanks
-- PMM