[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 18/31] qcow2: Avoid overflow in alloc_clusters_noref(
From: |
Kevin Wolf |
Subject: |
[Qemu-devel] [PULL 18/31] qcow2: Avoid overflow in alloc_clusters_noref() |
Date: |
Wed, 30 Apr 2014 20:23:50 +0200 |
From: Max Reitz <address@hidden>
alloc_clusters_noref() stores the cluster index in a uint64_t. However,
offsets are often represented as int64_t (as for example the return
value of alloc_clusters_noref() itself demonstrates). Therefore, we
should make sure all offsets in the allocated range of clusters are
representable using int64_t without overflows.
Signed-off-by: Max Reitz <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
---
block/qcow2-refcount.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index a37ee45..d2cb6a8 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -653,6 +653,13 @@ retry:
goto retry;
}
}
+
+ /* Make sure that all offsets in the "allocated" range are representable
+ * in an int64_t */
+ if (s->free_cluster_index - 1 > (INT64_MAX >> s->cluster_bits)) {
+ return -EFBIG;
+ }
+
#ifdef DEBUG_ALLOC2
fprintf(stderr, "alloc_clusters: size=%" PRId64 " -> %" PRId64 "\n",
size,
--
1.8.3.1
- [Qemu-devel] [PULL 10/31] iotests: Discarding compressed clusters on qcow2, (continued)
- [Qemu-devel] [PULL 10/31] iotests: Discarding compressed clusters on qcow2, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 09/31] qcow2: Fix discard, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 11/31] block: Create bdrv_inherited_flags(), Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 12/31] block: Create bdrv_backing_flags(), Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 13/31] block: Remove BDRV_O_COPY_ON_READ for bs->file, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 14/31] block: Unlink temporary files in raw-posix/win32, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 15/31] Revert "block: another bdrv_append fix", Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 16/31] block: Fix open_flags in bdrv_reopen(), Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 17/31] block: Use error_abort in bdrv_image_info_specific_dump(), Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 19/31] block: Use correct width in format strings, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 18/31] qcow2: Avoid overflow in alloc_clusters_noref(),
Kevin Wolf <=
- [Qemu-devel] [PULL 20/31] qcow2: Catch bdrv_getlength() error, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 23/31] block/vdi: Error out immediately in vdi_create(), Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 22/31] block/bochs: Fix error handling for seek_to_sector(), Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 21/31] qcow2: Check min_size in qcow2_grow_l1_table(), Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 24/31] curl: Fix long line, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 26/31] curl: Fix return from curl_read_cb with invalid state, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 25/31] curl: Remove unnecessary use of goto, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 27/31] curl: Remove erroneous sleep waiting for curl completion, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 29/31] curl: Eliminate unnecessary use of curl_multi_socket_all, Kevin Wolf, 2014/04/30
- [Qemu-devel] [PULL 28/31] curl: Remove unnecessary explicit calls to internal event handler, Kevin Wolf, 2014/04/30