qemu: saveimage: validate cookieOffset and NUL-terminate XML buffer

qemuSaveImageReadHeader() computed cookie_len = data_len - xml_len in size_t with no check that cookieOffset <= data_len; a crafted header with cookieOffset > data_len underflows cookie_len to ~SIZE_MAX and g_new0() aborts the daemon. The XML buffer was also allocated to exactly xml_len with no NUL terminator, then parsed as a C string, allowing a heap over-read for a non-NUL-terminated payload. Reject cookieOffset > data_len and allocate one extra (zeroed) byte for the XML terminator.

Signed-off-by: HE WEI(ギカク) skyexpoc@gmail.com

Merge request reports

Loading