qstring: Fix qstring_from_substr() not to provoke int overflow

qstring_from_substr() parameters @start and @end are of type int. blkdebug_parse_filename(), blkverify_parse_filename(), nbd_parse_uri(), and qstring_from_str() pass @end values of type size_t or ptrdiff_t. Values exceeding INT_MAX get truncated, with possibly disastrous results. Such huge substrings seem unlikely, but we found one in a core dump, where "info tlb" executed via QMP's human-monitor-command apparently produced 35 GiB of output. Fix by changing the parameters size_t. Backports commit ad63c549ecd4af4a22a675a815edeb06b0e7bb6e from qemu
2025-01-09 23:45:30 +00:00 · 2018-08-02 21:21:41 -04:00 · 2018-08-02 21:21:41 -04:00 · ea6ea4313d
parent 582a97055d
commit ea6ea4313d
2 changed files with 2 additions and 2 deletions
--- a/qemu/include/qapi/qmp/qstring.h
+++ b/qemu/include/qapi/qmp/qstring.h
@ -25,7 +25,7 @@ struct QString {
 QString *qstring_new(void);
 QString *qstring_from_str(const char *str);
-QString *qstring_from_substr(const char *str, int start, int end);
+QString *qstring_from_substr(const char *str, size_t start, size_t end);
 size_t qstring_get_length(const QString *qstring);
 const char *qstring_get_str(const QString *qstring);
 const char *qstring_get_try_str(const QString *qstring);
--- a/qemu/qobject/qstring.c
+++ b/qemu/qobject/qstring.c
@ -37,7 +37,7 @@ size_t qstring_get_length(const QString *qstring)
 *
 * Return string reference
 */
-QString *qstring_from_substr(const char *str, int start, int end)
+QString *qstring_from_substr(const char *str, size_t start, size_t end)
 {
    QString *qstring;