[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v2 05/12] block/dmg: validate chunk size to avoid ov
From: |
Peter Wu |
Subject: |
[Qemu-devel] [PATCH v2 05/12] block/dmg: validate chunk size to avoid overflow |
Date: |
Tue, 6 Jan 2015 18:48:08 +0100 |
Previously the chunk size was not checked, allowing for a large memory
allocation. This patch checks whether the chunks size is within the
resource fork length, and whether the resource fork is below the
trailer of the dmg file.
Signed-off-by: Peter Wu <address@hidden>
---
v2: added resource fork offset check
---
block/dmg.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/block/dmg.c b/block/dmg.c
index 4913249..5f6976b 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -319,7 +319,7 @@ static int dmg_read_resource_fork(BlockDriverState *bs,
DmgHeaderState *ds,
ret = read_uint32(bs, offset, &count);
if (ret < 0) {
goto fail;
- } else if (count == 0) {
+ } else if (count == 0 || count > info_end - offset) {
ret = -EINVAL;
goto fail;
}
@@ -379,6 +379,11 @@ static int dmg_open(BlockDriverState *bs, QDict *options,
int flags,
if (ret < 0) {
goto fail;
}
+ if (rsrc_fork_offset >= offset ||
+ rsrc_fork_length > offset - rsrc_fork_offset) {
+ ret = -EINVAL;
+ goto fail;
+ }
if (rsrc_fork_length != 0) {
ret = dmg_read_resource_fork(bs, &ds,
rsrc_fork_offset, rsrc_fork_length);
--
2.2.1
- [Qemu-devel] [PATCH v2 00/12] block/dmg: (compatibility) fixes and bzip2 support, Peter Wu, 2015/01/06
- [Qemu-devel] [PATCH v2 05/12] block/dmg: validate chunk size to avoid overflow,
Peter Wu <=
- [Qemu-devel] [PATCH v2 04/12] block/dmg: process a buffer instead of reading ints, Peter Wu, 2015/01/06
- [Qemu-devel] [PATCH v2 07/12] block/dmg: set virtual size to a non-zero value, Peter Wu, 2015/01/06
- [Qemu-devel] [PATCH v2 08/12] block/dmg: fix sector data offset calculation, Peter Wu, 2015/01/06
- [Qemu-devel] [PATCH v2 09/12] block/dmg: use SectorNumber from BLKX header, Peter Wu, 2015/01/06
- [Qemu-devel] [PATCH v2 03/12] block/dmg: extract processing of resource forks, Peter Wu, 2015/01/06