diff options
author | Kevin Wolf <kwolf@redhat.com> | 2014-05-08 13:35:09 +0200 |
---|---|---|
committer | Kevin Wolf <kwolf@redhat.com> | 2014-05-19 11:36:49 +0200 |
commit | d66e5cee002c471b78139228a4e7012736b375f9 (patch) | |
tree | e6304da0d058cf822920f6e833695eaf6ca7f189 /block/qcow.c | |
parent | 46485de0cb357b57373e1ca895adedf1f3ed46ec (diff) | |
download | qemu-d66e5cee002c471b78139228a4e7012736b375f9.zip qemu-d66e5cee002c471b78139228a4e7012736b375f9.tar.gz qemu-d66e5cee002c471b78139228a4e7012736b375f9.tar.bz2 |
qcow1: Stricter backing file length check
Like qcow2 since commit 6d33e8e7, error out on invalid lengths instead
of silently truncating them to 1023.
Also don't rely on bdrv_pread() catching integer overflows that make len
negative, but use unsigned variables in the first place.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
Diffstat (limited to 'block/qcow.c')
-rw-r--r-- | block/qcow.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/block/qcow.c b/block/qcow.c index 3566c05..7fd57d7 100644 --- a/block/qcow.c +++ b/block/qcow.c @@ -97,7 +97,8 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, Error **errp) { BDRVQcowState *s = bs->opaque; - int len, i, shift, ret; + unsigned int len, i, shift; + int ret; QCowHeader header; ret = bdrv_pread(bs->file, 0, &header, sizeof(header)); @@ -202,7 +203,9 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, if (header.backing_file_offset != 0) { len = header.backing_file_size; if (len > 1023) { - len = 1023; + error_setg(errp, "Backing file name too long"); + ret = -EINVAL; + goto fail; } ret = bdrv_pread(bs->file, header.backing_file_offset, bs->backing_file, len); |