[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 05/10] block/dmg: validate chunk size to avoid overf
From: |
Peter Wu |
Subject: |
[Qemu-devel] [PATCH 05/10] block/dmg: validate chunk size to avoid overflow |
Date: |
Sat, 27 Dec 2014 16:01:39 +0100 |
Previously the chunk size was not checked, allowing for a large memory
allocation. This patch checks whether the chunks size is within the
resource fork length.
Signed-off-by: Peter Wu <address@hidden>
---
block/dmg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/dmg.c b/block/dmg.c
index 75e771a..19e4fe2 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -308,7 +308,7 @@ static int dmg_read_resource_fork(BlockDriverState *bs,
DmgHeaderState *ds,
ret = read_uint32(bs, offset, &count);
if (ret < 0) {
goto fail;
- } else if (count == 0) {
+ } else if (count == 0 || count > info_end - offset) {
ret = -EINVAL;
goto fail;
}
--
2.2.1
- [Qemu-devel] [PATCH 00/10] block/dmg: (compatibility) fixes and bzip2 support, Peter Wu, 2014/12/27
- [Qemu-devel] [PATCH 05/10] block/dmg: validate chunk size to avoid overflow,
Peter Wu <=
- [Qemu-devel] [PATCH 01/10] block/dmg: properly detect the UDIF trailer, Peter Wu, 2014/12/27
- [Qemu-devel] [PATCH 08/10] block/dmg: fix sector data offset calculation, Peter Wu, 2014/12/27
- [Qemu-devel] [PATCH 06/10] block/dmg: process XML plists, Peter Wu, 2014/12/27
- [Qemu-devel] [PATCH 07/10] block/dmg: set virtual size to a non-zero value, Peter Wu, 2014/12/27
- [Qemu-devel] [PATCH 04/10] block/dmg: process a buffer instead of reading ints, Peter Wu, 2014/12/27
- [Qemu-devel] [PATCH 02/10] block/dmg: extract mish block decoding functionality, Peter Wu, 2014/12/27
- [Qemu-devel] [PATCH 09/10] block/dmg: support bzip2 block entry types, Peter Wu, 2014/12/27
- [Qemu-devel] [PATCH 03/10] block/dmg: extract processing of resource forks, Peter Wu, 2014/12/27
- [Qemu-devel] [PATCH 10/10] block/dmg: improve zeroes handling, Peter Wu, 2014/12/27