Fix heap buffer overflow with -x option

visitorckw · visitorckw · commit e11b229054b8 · 2025-12-03T18:14:42.000Z
The opt_virtio_blk_img array can be overflowed if more than
VBLK_DEV_MAX virtio-blk devices are specified using the -x option, as
opt_virtio_blk_idx is incremented without bounds checking.

Add a check to ensure that opt_virtio_blk_idx does not exceed
VBLK_DEV_MAX. If the limit is reached, log an error and exit.
diff --git a/src/main.c b/src/main.c
@@ -131,6 +131,11 @@ static bool parse_args(int argc, char **args)
             emu_argc++;
             break;
         case 'x':
+            if (opt_virtio_blk_idx >= VBLK_DEV_MAX) {
+                rv_log_error("Too many virtio-blk devices. Maximum is %d.\n",
+                             VBLK_DEV_MAX);
+                return false;
+            }
             if (!strncmp("vblk:", optarg, 5))
                 opt_virtio_blk_img[opt_virtio_blk_idx++] =
                     optarg + 5; /* strlen("vblk:") */
