aboutsummaryrefslogtreecommitdiff
path: root/block
diff options
context:
space:
mode:
authorMax Reitz <mreitz@redhat.com>2014-04-29 19:03:11 +0200
committerKevin Wolf <kwolf@redhat.com>2014-04-30 14:46:13 +0200
commit91f827dcff61c3e007def4c949d3a8310954b85e (patch)
treeb33046c00ba2467efb8a619f4c12e9f242d9b6fa /block
parent35d0d40a034b2392f48f91e4e00c8c94e3526a19 (diff)
downloadqemu-91f827dcff61c3e007def4c949d3a8310954b85e.zip
qemu-91f827dcff61c3e007def4c949d3a8310954b85e.tar.gz
qemu-91f827dcff61c3e007def4c949d3a8310954b85e.tar.bz2
qcow2: Avoid overflow in alloc_clusters_noref()
alloc_clusters_noref() stores the cluster index in a uint64_t. However, offsets are often represented as int64_t (as for example the return value of alloc_clusters_noref() itself demonstrates). Therefore, we should make sure all offsets in the allocated range of clusters are representable using int64_t without overflows. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Diffstat (limited to 'block')
-rw-r--r--block/qcow2-refcount.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index a37ee45..d2cb6a8 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -653,6 +653,13 @@ retry:
goto retry;
}
}
+
+ /* Make sure that all offsets in the "allocated" range are representable
+ * in an int64_t */
+ if (s->free_cluster_index - 1 > (INT64_MAX >> s->cluster_bits)) {
+ return -EFBIG;
+ }
+
#ifdef DEBUG_ALLOC2
fprintf(stderr, "alloc_clusters: size=%" PRId64 " -> %" PRId64 "\n",
size,