I can't reproduce the issue with your "poc" binary here. Which version of QEMU were you exactly using? Can you reproduce it with the latest version from the master branch?
Also there is already a size check some lines earlier:
if ((d + l) > (dest + size)) {
l = dest - d;
}
Isn't that sufficient?
Also please explain how this vulnerability could be exploited? The code patch is not triggered by the guest, is it?
I can't reproduce the issue with your "poc" binary here. Which version of QEMU were you exactly using? Can you reproduce it with the latest version from the master branch?
Also there is already a size check some lines earlier:
if ((d + l) > (dest + size)) {
l = dest - d;
}
Isn't that sufficient?
Also please explain how this vulnerability could be exploited? The code patch is not triggered by the guest, is it?