From: Kevin Wolf Date: Thu, 8 May 2014 13:35:09 +0200 Subject: [PATCH] qcow1: Stricter backing file length check Like qcow2 since commit 6d33e8e7, error out on invalid lengths instead of silently truncating them to 1023. Also don't rely on bdrv_pread() catching integer overflows that make len negative, but use unsigned variables in the first place. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf Reviewed-by: Benoit Canet (cherry picked from commit d66e5cee002c471b78139228a4e7012736b375f9) Conflicts: tests/qemu-iotests/092 tests/qemu-iotests/092.out --- block/qcow.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/block/qcow.c b/block/qcow.c index 4946bbf..9439c73 100644 --- a/block/qcow.c +++ b/block/qcow.c @@ -96,7 +96,8 @@ static int qcow_probe(const uint8_t *buf, int buf_size, const char *filename) static int qcow_open(BlockDriverState *bs, QDict *options, int flags) { BDRVQcowState *s = bs->opaque; - int len, i, shift, ret; + unsigned int len, i, shift; + int ret; QCowHeader header; ret = bdrv_pread(bs->file, 0, &header, sizeof(header)); @@ -198,7 +199,9 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags) if (header.backing_file_offset != 0) { len = header.backing_file_size; if (len > 1023) { - len = 1023; + error_report("Backing file name too long"); + ret = -EINVAL; + goto fail; } ret = bdrv_pread(bs->file, header.backing_file_offset, bs->backing_file, len);