[Qemu-devel] [PATCH 4/4] qcow2: Check validity of backing file name length

Sun, 17 Nov 2013 06:21:18 -0800 

The len variable is a signed integer, therefore it may overflow when
reading the backing file name length from the qcow2 image header. This
case should be handled explicitly.

Signed-off-by: Max Reitz <mre...@redhat.com>
---
 block/qcow2.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/block/qcow2.c b/block/qcow2.c
index 9c29e1a..e54176e 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -630,6 +630,11 @@ static int qcow2_open(BlockDriverState *bs, QDict 
*options, int flags,
     /* read the backing file name */
     if (header.backing_file_offset != 0) {
         len = header.backing_file_size;
+        if (len < 0) {
+            error_setg(errp, "Backing file name length is negative");
+            ret = -EINVAL;
+            goto fail;
+        }
         if (len > 1023) {
             len = 1023;
         }
-- 
1.8.4.2

Reply via email to