From b46ebb25253742eaabfcf340525981c5447be1df Mon Sep 17 00:00:00 2001
From: Eric Blake <eblake@redhat.com>
Date: Mon, 18 Jun 2012 21:36:19 -0600
Subject: [PATCH] storage: avoid mishandling backing store > 2GB
To: libvir-list@redhat.com
5.9: https://bugzilla.redhat.com/show_bug.cgi?id=772821
Detected by Coverity. The code was doing math on shifted unsigned
char (which promotes to int), then promoting that to unsigned long
during assignment to size. On 64-bit platforms, this risks sign
extending values of size > 2GiB. Bug present since commit
489fd3 (v0.6.0).
I'm not sure if a specially-crafted bogus qcow2 image could
exploit this, although it's probably not possible, since we
were already checking for the computed results being within
range of our fixed-size buffer.
* src/util/storage_file.c (qcowXGetBackingStore): Avoid sign
extension.
(cherry picked from commit 54456cc0fd3590ae9d1d4a74161eb9aa76d66710)
Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
src/util/storage_file.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/util/storage_file.c b/src/util/storage_file.c
index 97e24b8..da88cd5 100644
--- a/src/util/storage_file.c
+++ b/src/util/storage_file.c
@@ -257,7 +257,7 @@ qcowXGetBackingStore(char **res,
bool isQCow2)
{
unsigned long long offset;
- unsigned long size;
+ unsigned int size;
*res = NULL;
if (format)
--
1.7.7.4
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
ebe084c140192657f9094e135a84202c
>
files
>
134
