[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 04/20] block: fix theoretical overflow in bdrv_init_padding()
From: |
Eric Blake |
Subject: |
[PULL 04/20] block: fix theoretical overflow in bdrv_init_padding() |
Date: |
Tue, 2 Feb 2021 16:45:13 -0600 |
From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Calculation of sum may theoretically overflow, so use 64bit type and
add some good assertions.
Use int64_t constantly.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Message-Id: <20201211183934.169161-4-vsementsov@virtuozzo.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
[eblake: tweak assertion order]
Signed-off-by: Eric Blake <eblake@redhat.com>
---
block/io.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/block/io.c b/block/io.c
index ab953bd58f48..c8c9dea55466 100644
--- a/block/io.c
+++ b/block/io.c
@@ -1565,8 +1565,12 @@ static bool bdrv_init_padding(BlockDriverState *bs,
int64_t offset, int64_t bytes,
BdrvRequestPadding *pad)
{
- uint64_t align = bs->bl.request_alignment;
- size_t sum;
+ int64_t align = bs->bl.request_alignment;
+ int64_t sum;
+
+ bdrv_check_request(offset, bytes, &error_abort);
+ assert(align <= INT_MAX); /* documented in block/block_int.h */
+ assert(align <= SIZE_MAX / 2); /* so we can allocate the buffer */
memset(pad, 0, sizeof(*pad));
--
2.30.0
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [PULL 04/20] block: fix theoretical overflow in bdrv_init_padding(),
Eric Blake <=