From 6a83f8b5bec6f59e56cc49bd49e4c3f8f805d56f Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 26 Mar 2014 13:06:06 +0100
Subject: qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp()
 (CVE-2014-0143)

This avoids an unbounded allocation.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/qcow2.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

(limited to 'block/qcow2.c')

diff --git a/block/qcow2.c b/block/qcow2.c
index be48a27..bb6000f 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -638,9 +638,7 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
     }
 
     /* read the level 1 table */
-    if (header.l1_size > 0x2000000) {
-        /* 32 MB L1 table is enough for 2 PB images at 64k cluster size
-         * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */
+    if (header.l1_size > QCOW_MAX_L1_SIZE) {
         error_setg(errp, "Active L1 table too large");
         ret = -EFBIG;
         goto fail;
-- 
cgit v1.1