aboutsummaryrefslogtreecommitdiff
path: root/block
diff options
context:
space:
mode:
authorKevin Wolf <kwolf@redhat.com>2014-03-26 13:05:32 +0100
committerStefan Hajnoczi <stefanha@redhat.com>2014-04-01 13:59:47 +0200
commit246f65838d19db6db55bfb41117c35645a2c4789 (patch)
tree88a74c30610b6977ca4a23158e824e0174f4780f /block
parent3dd8a6763bcc50dfc3de8da9279b741c0dea9fb1 (diff)
downloadqemu-246f65838d19db6db55bfb41117c35645a2c4789.zip
qemu-246f65838d19db6db55bfb41117c35645a2c4789.tar.gz
qemu-246f65838d19db6db55bfb41117c35645a2c4789.tar.bz2
bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
Gets us rid of integer overflows resulting in negative sizes which aren't correctly checked. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'block')
-rw-r--r--block/bochs.c16
1 files changed, 8 insertions, 8 deletions
diff --git a/block/bochs.c b/block/bochs.c
index ef8e381..e923eed 100644
--- a/block/bochs.c
+++ b/block/bochs.c
@@ -67,13 +67,13 @@ struct bochs_header {
typedef struct BDRVBochsState {
CoMutex lock;
uint32_t *catalog_bitmap;
- int catalog_size;
+ uint32_t catalog_size;
- int data_offset;
+ uint32_t data_offset;
- int bitmap_blocks;
- int extent_blocks;
- int extent_size;
+ uint32_t bitmap_blocks;
+ uint32_t extent_blocks;
+ uint32_t extent_size;
} BDRVBochsState;
static int bochs_probe(const uint8_t *buf, int buf_size, const char *filename)
@@ -97,7 +97,7 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags,
Error **errp)
{
BDRVBochsState *s = bs->opaque;
- int i;
+ uint32_t i;
struct bochs_header bochs;
int ret;
@@ -153,8 +153,8 @@ fail:
static int64_t seek_to_sector(BlockDriverState *bs, int64_t sector_num)
{
BDRVBochsState *s = bs->opaque;
- int64_t offset = sector_num * 512;
- int64_t extent_index, extent_offset, bitmap_offset;
+ uint64_t offset = sector_num * 512;
+ uint64_t extent_index, extent_offset, bitmap_offset;
char bitmap_entry;
// seek to sector