From df11159ca436d983d7b2976bd8ba4f836678adeb Mon Sep 17 00:00:00 2001 From: Kevin Wolf Date: Thu, 31 Jul 2014 16:03:23 -0500 Subject: [CHANGE 01/31] qcow2: Reject too large header extensions To: rhvirt-patches@redhat.com, jen@redhat.com RH-Author: Kevin Wolf Message-id: <1406822631-6570-2-git-send-email-kwolf@redhat.com> Patchwork-id: 60358 O-Subject: [RHEL-6.6 qemu-kvm PATCH v3 01/29] qcow2: Reject too large header extensions Bugzilla: 1124443 RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Jeffrey Cody RH-Acked-by: Max Reitz Image files that make qemu-img info read several gigabytes into the unknown header extensions list are bad. Just fail opening the image if an extension claims to be larger than the header extension area. Signed-off-by: Kevin Wolf Reviewed-by: Stefan Hajnoczi (cherry picked from commit 64ca6aee4f06a3af869e5e09f0afeb6721966875) Signed-off-by: Kevin Wolf Signed-off-by: jen --- block/qcow2.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/block/qcow2.c b/block/qcow2.c index 1fe2e50..a43f69b 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -111,6 +111,11 @@ static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset, #ifdef DEBUG_EXT printf("ext.magic = 0x%x\n", ext.magic); #endif + if (ext.len > end_offset - offset) { + error_report("Header extension too large"); + return -EINVAL; + } + switch (ext.magic) { case QCOW2_EXT_MAGIC_END: return 0; -- 1.9.3