libxc: Check full range of pfns for xc_dom_pfn_to_ptr

Previously, passing a valid pfn but an overly large count to
xc_dom_pfn_to_ptr, and functions which call it, would run off the end
of the pfn array giving undefined behaviour.

It is tempting to change this check to an assert, as no callers should
be providing invalid parameters here.  But this is probably best not
done while frozen for 4.0.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>

diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c
index b1e90d8d6e9e458e7837aee6be9cf2663d68c600..23c655efb37c3474a84711e759eb2def33033b9c 100644 (file)
--- a/tools/libxc/xc_dom_core.c
+++ b/tools/libxc/xc_dom_core.c
@@ -288,7 +288,9 @@ void *xc_dom_pfn_to_ptr(struct xc_dom_image *dom, xen_pfn_t pfn,
     unsigned int page_shift = XC_DOM_PAGE_SHIFT(dom);
     char *mode = "unset";
 
-    if ( pfn > dom->total_pages )
+    if ( pfn > dom->total_pages ||    /* multiple checks to avoid overflows */
+         count > dom->total_pages ||
+         pfn > dom->total_pages - count )
     {
         xc_dom_printf("%s: pfn out of range (0x%" PRIpfn " > 0x%" PRIpfn ")\n",
                       __FUNCTION__, pfn, dom->total_pages);