[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 24/42] block/dmg: validate chunk size to avoid overfl
From: |
Kevin Wolf |
Subject: |
[Qemu-devel] [PULL 24/42] block/dmg: validate chunk size to avoid overflow |
Date: |
Fri, 6 Feb 2015 17:40:31 +0100 |
From: Peter Wu <address@hidden>
Previously the chunk size was not checked, allowing for a large memory
allocation. This patch checks whether the chunks size is within the
resource fork length, and whether the resource fork is below the
trailer of the dmg file.
Signed-off-by: Peter Wu <address@hidden>
Reviewed-by: John Snow <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
---
block/dmg.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/block/dmg.c b/block/dmg.c
index 4f56227..5c2c2c2 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -317,7 +317,7 @@ static int dmg_read_resource_fork(BlockDriverState *bs,
DmgHeaderState *ds,
ret = read_uint32(bs, offset, &count);
if (ret < 0) {
goto fail;
- } else if (count == 0) {
+ } else if (count == 0 || count > info_end - offset) {
ret = -EINVAL;
goto fail;
}
@@ -377,6 +377,11 @@ static int dmg_open(BlockDriverState *bs, QDict *options,
int flags,
if (ret < 0) {
goto fail;
}
+ if (rsrc_fork_offset >= offset ||
+ rsrc_fork_length > offset - rsrc_fork_offset) {
+ ret = -EINVAL;
+ goto fail;
+ }
if (rsrc_fork_length != 0) {
ret = dmg_read_resource_fork(bs, &ds,
rsrc_fork_offset, rsrc_fork_length);
--
1.8.3.1
- [Qemu-devel] [PULL 15/42] virtio-blk: introduce multiread, (continued)
- [Qemu-devel] [PULL 15/42] virtio-blk: introduce multiread, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 18/42] iotests: Specify format for qemu-nbd, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 20/42] block/dmg: properly detect the UDIF trailer, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 16/42] virtio-blk: add a knob to disable request merging, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 22/42] block/dmg: extract processing of resource forks, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 25/42] block/dmg: process XML plists, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 19/42] block: add event when disk usage exceeds threshold, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 26/42] block/dmg: set virtual size to a non-zero value, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 21/42] block/dmg: extract mish block decoding functionality, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 29/42] block/dmg: factor out block type check, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 24/42] block/dmg: validate chunk size to avoid overflow,
Kevin Wolf <=
- [Qemu-devel] [PULL 23/42] block/dmg: process a buffer instead of reading ints, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 27/42] block/dmg: fix sector data offset calculation, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 28/42] block/dmg: use SectorNumber from BLKX header, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 31/42] block/dmg: improve zeroes handling, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 32/42] qed: check for header size overflow, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 34/42] block: fix off-by-one error in qcow and qcow2, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 37/42] iotests: Fix 104 for NBD, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 30/42] block/dmg: support bzip2 block entry types, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 33/42] qemu-iotests: add 116 invalid QED input file tests, Kevin Wolf, 2015/02/06
- [Qemu-devel] [PULL 38/42] nbd: Improve error messages, Kevin Wolf, 2015/02/06