[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 06/16] block/dmg: validate chunk size to avoid overfl
From: |
Stefan Hajnoczi |
Subject: |
[Qemu-devel] [PULL 06/16] block/dmg: validate chunk size to avoid overflow |
Date: |
Fri, 16 Jan 2015 15:37:03 +0000 |
From: Peter Wu <address@hidden>
Previously the chunk size was not checked, allowing for a large memory
allocation. This patch checks whether the chunks size is within the
resource fork length, and whether the resource fork is below the
trailer of the dmg file.
Signed-off-by: Peter Wu <address@hidden>
Reviewed-by: John Snow <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
---
block/dmg.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/block/dmg.c b/block/dmg.c
index 4f56227..5c2c2c2 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -317,7 +317,7 @@ static int dmg_read_resource_fork(BlockDriverState *bs,
DmgHeaderState *ds,
ret = read_uint32(bs, offset, &count);
if (ret < 0) {
goto fail;
- } else if (count == 0) {
+ } else if (count == 0 || count > info_end - offset) {
ret = -EINVAL;
goto fail;
}
@@ -377,6 +377,11 @@ static int dmg_open(BlockDriverState *bs, QDict *options,
int flags,
if (ret < 0) {
goto fail;
}
+ if (rsrc_fork_offset >= offset ||
+ rsrc_fork_length > offset - rsrc_fork_offset) {
+ ret = -EINVAL;
+ goto fail;
+ }
if (rsrc_fork_length != 0) {
ret = dmg_read_resource_fork(bs, &ds,
rsrc_fork_offset, rsrc_fork_length);
--
2.1.0
- [Qemu-devel] [PULL 00/16] Block patches, Stefan Hajnoczi, 2015/01/16
- [Qemu-devel] [PULL 01/16] block: add event when disk usage exceeds threshold, Stefan Hajnoczi, 2015/01/16
- [Qemu-devel] [PULL 02/16] block/dmg: properly detect the UDIF trailer, Stefan Hajnoczi, 2015/01/16
- [Qemu-devel] [PULL 03/16] block/dmg: extract mish block decoding functionality, Stefan Hajnoczi, 2015/01/16
- [Qemu-devel] [PULL 04/16] block/dmg: extract processing of resource forks, Stefan Hajnoczi, 2015/01/16
- [Qemu-devel] [PULL 07/16] block/dmg: process XML plists, Stefan Hajnoczi, 2015/01/16
- [Qemu-devel] [PULL 05/16] block/dmg: process a buffer instead of reading ints, Stefan Hajnoczi, 2015/01/16
- [Qemu-devel] [PULL 06/16] block/dmg: validate chunk size to avoid overflow,
Stefan Hajnoczi <=
- [Qemu-devel] [PULL 10/16] block/dmg: use SectorNumber from BLKX header, Stefan Hajnoczi, 2015/01/16
- [Qemu-devel] [PULL 08/16] block/dmg: set virtual size to a non-zero value, Stefan Hajnoczi, 2015/01/16
- [Qemu-devel] [PULL 12/16] block/dmg: support bzip2 block entry types, Stefan Hajnoczi, 2015/01/16
- [Qemu-devel] [PULL 09/16] block/dmg: fix sector data offset calculation, Stefan Hajnoczi, 2015/01/16
- [Qemu-devel] [PULL 14/16] qed: check for header size overflow, Stefan Hajnoczi, 2015/01/16
- [Qemu-devel] [PULL 11/16] block/dmg: factor out block type check, Stefan Hajnoczi, 2015/01/16
- [Qemu-devel] [PULL 15/16] qemu-iotests: add 116 invalid QED input file tests, Stefan Hajnoczi, 2015/01/16
- [Qemu-devel] [PULL 13/16] block/dmg: improve zeroes handling, Stefan Hajnoczi, 2015/01/16
- [Qemu-devel] [PULL 16/16] qemu-iotests: Fix supported_oses check, Stefan Hajnoczi, 2015/01/16
- Re: [Qemu-devel] [PULL 00/16] Block patches, Peter Maydell, 2015/01/16