External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-22 03:12:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

virDiskNameParse: Fix integer overflow in disk name parsing

Browse Source 
The conversion to index entails multiplication and accumulation by user
provided data which can easily overflow, use VIR_MULTIPLY_ADD_IS_OVERFLOW
to check if the string is valid.

Closes: https://gitlab.com/libvirt/libvirt/-/issues/674
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
This commit is contained in:
Peter Krempa 2024-09-09 16:46:09 +02:00 committed by Pavel Hrdina
parent a9ede822da
commit e562b16ede
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/util/virutil.c
View File

@ -338,11 +338,17 @@ int virDiskNameParse(const char *name, int *disk, int *partition)
return -1;
for (i = 0; *ptr; i++) {
int c = *ptr - 'a';
if (!g_ascii_islower(*ptr))
break;
idx = (idx + (i < 1 ? 0 : 1)) * 26;
idx += *ptr - 'a';
idx = (idx + (i < 1 ? 0 : 1));
if (VIR_MULTIPLY_ADD_IS_OVERFLOW(INT_MAX, idx, 26, c))
return -1;
idx = idx * 26 + c;
ptr++;
}