From b46ebb25253742eaabfcf340525981c5447be1df Mon Sep 17 00:00:00 2001 From: Eric Blake <eblake@redhat.com> Date: Mon, 18 Jun 2012 21:36:19 -0600 Subject: [PATCH] storage: avoid mishandling backing store > 2GB To: libvir-list@redhat.com 5.9: https://bugzilla.redhat.com/show_bug.cgi?id=772821 Detected by Coverity. The code was doing math on shifted unsigned char (which promotes to int), then promoting that to unsigned long during assignment to size. On 64-bit platforms, this risks sign extending values of size > 2GiB. Bug present since commit 489fd3 (v0.6.0). I'm not sure if a specially-crafted bogus qcow2 image could exploit this, although it's probably not possible, since we were already checking for the computed results being within range of our fixed-size buffer. * src/util/storage_file.c (qcowXGetBackingStore): Avoid sign extension. (cherry picked from commit 54456cc0fd3590ae9d1d4a74161eb9aa76d66710) Signed-off-by: Daniel Veillard <veillard@redhat.com> --- src/util/storage_file.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/util/storage_file.c b/src/util/storage_file.c index 97e24b8..da88cd5 100644 --- a/src/util/storage_file.c +++ b/src/util/storage_file.c @@ -257,7 +257,7 @@ qcowXGetBackingStore(char **res, bool isQCow2) { unsigned long long offset; - unsigned long size; + unsigned int size; *res = NULL; if (format) -- 1.7.7.4