From patchwork Wed Feb 29 15:17:57 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kevin Wolf X-Patchwork-Id: 143786 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 5B350B6EEE for ; Thu, 1 Mar 2012 03:45:58 +1100 (EST) Received: from localhost ([::1]:39545 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S2lG4-0007ag-N7 for incoming@patchwork.ozlabs.org; Wed, 29 Feb 2012 10:16:00 -0500 Received: from eggs.gnu.org ([208.118.235.92]:59842) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S2lFF-0005nb-F2 for qemu-devel@nongnu.org; Wed, 29 Feb 2012 10:15:23 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1S2lF5-0003Yb-ES for qemu-devel@nongnu.org; Wed, 29 Feb 2012 10:15:09 -0500 Received: from mx1.redhat.com ([209.132.183.28]:45984) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S2lF5-0003WJ-6X for qemu-devel@nongnu.org; Wed, 29 Feb 2012 10:14:59 -0500 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q1TFEulO009939 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 29 Feb 2012 10:14:57 -0500 Received: from dhcp-5-188.str.redhat.com (dhcp-5-175.str.redhat.com [10.32.5.175]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q1TFEb5W023383; Wed, 29 Feb 2012 10:14:56 -0500 From: Kevin Wolf To: anthony@codemonkey.ws Date: Wed, 29 Feb 2012 16:17:57 +0100 Message-Id: <1330528688-21996-17-git-send-email-kwolf@redhat.com> In-Reply-To: <1330528688-21996-1-git-send-email-kwolf@redhat.com> References: <1330528688-21996-1-git-send-email-kwolf@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 209.132.183.28 Cc: kwolf@redhat.com, qemu-devel@nongnu.org Subject: [Qemu-devel] [PATCH 16/27] qcow2: Reject too large header extensions X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Image files that make qemu-img info read several gigabytes into the unknown header extensions list are bad. Just fail opening the image if an extension claims to be larger than the header extension area. Signed-off-by: Kevin Wolf Reviewed-by: Stefan Hajnoczi --- block/qcow2.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/block/qcow2.c b/block/qcow2.c index f68f0e1..eb5ea48 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -108,6 +108,11 @@ static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset, #ifdef DEBUG_EXT printf("ext.magic = 0x%x\n", ext.magic); #endif + if (ext.len > end_offset - offset) { + error_report("Header extension too large"); + return -EINVAL; + } + switch (ext.magic) { case QCOW2_EXT_MAGIC_END: return 0;