qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 1/2] block: Detect multiplication overflow in bd


From: Markus Armbruster
Subject: Re: [Qemu-devel] [PATCH 1/2] block: Detect multiplication overflow in bdrv_getlength
Date: Fri, 15 May 2015 10:10:47 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)

Fam Zheng <address@hidden> writes:

> Bogus image may have a large total_sectors that will overflow the
> multiplication. For cleanness, fix the return code so the error message
> will be meaningful.
>
> Reported-by: Richard W.M. Jones <address@hidden>
> Signed-off-by: Fam Zheng <address@hidden>
> ---
>  block.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/block.c b/block.c
> index 7904098..5ee3fdf 100644
> --- a/block.c
> +++ b/block.c
> @@ -2330,6 +2330,7 @@ int64_t bdrv_getlength(BlockDriverState *bs)
>  {
>      int64_t ret = bdrv_nb_sectors(bs);
>  
> +    ret = (int64_t)(ret * BDRV_SECTOR_SIZE) < 0 ? -EFBIG : ret;
>      return ret < 0 ? ret : ret * BDRV_SECTOR_SIZE;
>  }

Signed integer overflow is undefined behavior.  Your code works just
fine on any remotely sane machine, *except* when the optimizer decides
to use its undefined behavior license to mess with you.

A more prudent way to test for overflow would be something like

    ret > INT64_MAX / BDRV_SECTOR_SIZE



reply via email to

[Prev in Thread] Current Thread [Next in Thread]