diff options
author | Kevin Wolf <kwolf@redhat.com> | 2014-03-26 13:05:32 +0100 |
---|---|---|
committer | Stefan Hajnoczi <stefanha@redhat.com> | 2014-04-01 13:59:47 +0200 |
commit | 246f65838d19db6db55bfb41117c35645a2c4789 (patch) | |
tree | 88a74c30610b6977ca4a23158e824e0174f4780f /block/bochs.c | |
parent | 3dd8a6763bcc50dfc3de8da9279b741c0dea9fb1 (diff) | |
download | qemu-246f65838d19db6db55bfb41117c35645a2c4789.zip qemu-246f65838d19db6db55bfb41117c35645a2c4789.tar.gz qemu-246f65838d19db6db55bfb41117c35645a2c4789.tar.bz2 |
bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
Gets us rid of integer overflows resulting in negative sizes which
aren't correctly checked.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'block/bochs.c')
-rw-r--r-- | block/bochs.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/block/bochs.c b/block/bochs.c index ef8e381..e923eed 100644 --- a/block/bochs.c +++ b/block/bochs.c @@ -67,13 +67,13 @@ struct bochs_header { typedef struct BDRVBochsState { CoMutex lock; uint32_t *catalog_bitmap; - int catalog_size; + uint32_t catalog_size; - int data_offset; + uint32_t data_offset; - int bitmap_blocks; - int extent_blocks; - int extent_size; + uint32_t bitmap_blocks; + uint32_t extent_blocks; + uint32_t extent_size; } BDRVBochsState; static int bochs_probe(const uint8_t *buf, int buf_size, const char *filename) @@ -97,7 +97,7 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags, Error **errp) { BDRVBochsState *s = bs->opaque; - int i; + uint32_t i; struct bochs_header bochs; int ret; @@ -153,8 +153,8 @@ fail: static int64_t seek_to_sector(BlockDriverState *bs, int64_t sector_num) { BDRVBochsState *s = bs->opaque; - int64_t offset = sector_num * 512; - int64_t extent_index, extent_offset, bitmap_offset; + uint64_t offset = sector_num * 512; + uint64_t extent_index, extent_offset, bitmap_offset; char bitmap_entry; // seek to sector |