Patchwork qemu-img: Fix segfault during rebase

login
register
mail settings
Submitter Kevin Wolf
Date Feb. 17, 2010, 11:32 a.m.
Message ID <1266406379-5029-1-git-send-email-kwolf@redhat.com>
Download mbox | patch
Permalink /patch/45605/
State New
Headers show

Comments

Kevin Wolf - Feb. 17, 2010, 11:32 a.m.
This fixes a possible read beyond the end of the temporary buffers used for
comparing data in the old and the new backing file.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 qemu-img.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
Anthony Liguori - Feb. 19, 2010, 10:01 p.m.
On 02/17/2010 05:32 AM, Kevin Wolf wrote:
> This fixes a possible read beyond the end of the temporary buffers used for
> comparing data in the old and the new backing file.
>
> Signed-off-by: Kevin Wolf<kwolf@redhat.com>
>    

Applied.  Thanks.

Regards,

Anthony Liguori
> ---
>   qemu-img.c |    2 +-
>   1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/qemu-img.c b/qemu-img.c
> index 250d892..258dc62 100644
> --- a/qemu-img.c
> +++ b/qemu-img.c
> @@ -1225,7 +1225,7 @@ static int img_rebase(int argc, char **argv)
>                   int pnum;
>
>                   if (compare_sectors(buf_old + written * 512,
> -                    buf_new + written * 512, n,&pnum))
> +                    buf_new + written * 512, n - written,&pnum))
>                   {
>                       ret = bdrv_write(bs, sector + written,
>                           buf_old + written * 512, pnum);
>

Patch

diff --git a/qemu-img.c b/qemu-img.c
index 250d892..258dc62 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -1225,7 +1225,7 @@  static int img_rebase(int argc, char **argv)
                 int pnum;
 
                 if (compare_sectors(buf_old + written * 512,
-                    buf_new + written * 512, n, &pnum))
+                    buf_new + written * 512, n - written, &pnum))
                 {
                     ret = bdrv_write(bs, sector + written,
                         buf_old + written * 512, pnum);