1
0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-07 17:28:15 +00:00

storage: avoid mishandling backing store > 2GB

Detected by Coverity.  The code was doing math on shifted unsigned
char (which promotes to int), then promoting that to unsigned long
during assignment to size.  On 64-bit platforms, this risks sign
extending values of size > 2GiB.  Bug present since commit
489fd3 (v0.6.0).

I'm not sure if a specially-crafted bogus qcow2 image could
exploit this, although it's probably not possible, since we
were already checking for the computed results being within
range of our fixed-size buffer.

* src/util/storage_file.c (qcowXGetBackingStore): Avoid sign
extension.
This commit is contained in:
Eric Blake 2011-06-02 17:52:16 -06:00
parent 28ea3bf31c
commit 54456cc0fd

View File

@ -274,7 +274,7 @@ qcowXGetBackingStore(char **res,
bool isQCow2)
{
unsigned long long offset;
unsigned long size;
unsigned int size;
*res = NULL;
if (format)