| commit | 46485de0cb357b57373e1ca895adedf1f3ed46ec | |
| author | Kevin Wolf <kwolf@redhat.com> | |
| Thu, 8 May 2014 11:08:20 +0000 (8 13:08 +0200) | ||
| committer | Kevin Wolf <kwolf@redhat.com> | |
| Mon, 19 May 2014 09:36:49 +0000 (19 11:36 +0200) | ||
| tree | 3d7bdb3799feee94728a37374a26349d46e7b227 | treesnapshot (tar.gz zip) |
| parent | 42eb58179b3b215bb507da3262b682b8a2ec10b5 | commitdiff |
qcow1: Validate image size (CVE-2014-0223)
A huge image size could cause s->l1_size to overflow. Make sure that
images never require a L1 table larger than what fits in s->l1_size.
This cannot only cause unbounded allocations, but also the allocation of
a too small L1 table, resulting in out-of-bounds array accesses (both
reads and writes).
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
A huge image size could cause s->l1_size to overflow. Make sure that
images never require a L1 table larger than what fits in s->l1_size.
This cannot only cause unbounded allocations, but also the allocation of
a too small L1 table, resulting in out-of-bounds array accesses (both
reads and writes).
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
| block/qcow.c | diffblobblamehistory | |
| tests/qemu-iotests/092 | diffblobblamehistory | |
| tests/qemu-iotests/092.out | diffblobblamehistory |