qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH 4/4] qcow2: Check validity of backing file name leng


From: Max Reitz
Subject: [Qemu-devel] [PATCH 4/4] qcow2: Check validity of backing file name length
Date: Sun, 17 Nov 2013 15:18:44 +0100

The len variable is a signed integer, therefore it may overflow when
reading the backing file name length from the qcow2 image header. This
case should be handled explicitly.

Signed-off-by: Max Reitz <address@hidden>
---
 block/qcow2.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/block/qcow2.c b/block/qcow2.c
index 9c29e1a..e54176e 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -630,6 +630,11 @@ static int qcow2_open(BlockDriverState *bs, QDict 
*options, int flags,
     /* read the backing file name */
     if (header.backing_file_offset != 0) {
         len = header.backing_file_size;
+        if (len < 0) {
+            error_setg(errp, "Backing file name length is negative");
+            ret = -EINVAL;
+            goto fail;
+        }
         if (len > 1023) {
             len = 1023;
         }
-- 
1.8.4.2




reply via email to

[Prev in Thread] Current Thread [Next in Thread]