libxc: check blob size before proceeding in xc_dom_check_gzip

This is part of the fix to a security issue, XSA-55.

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
v8: Add a comment explaining where the number 6 comes from.

v6: This patch is new in v6 of the series.

diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c
index 1a14d3c5ce41a1c2381b83f0664e82109e6493ec..5f188c13217601af97b9879acd0fdddf08e103b0 100644 (file)
--- a/tools/libxc/xc_dom_core.c
+++ b/tools/libxc/xc_dom_core.c
@@ -284,6 +284,11 @@ size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen)
     unsigned char *gzlen;
     size_t unziplen;
 
+    if ( ziplen < 6 )
+        /* Too small.  We need (i.e. the subsequent code relies on)
+         * 2 bytes for the magic number plus 4 bytes length. */
+        return 0;
+
     if ( strncmp(blob, "\037\213", 2) )
         /* not gzipped */
         return 0;