1369de9828
CVE-2014-3689 vmware_vga: insufficient parameter validation in rectangle functions (bz #1153038, bz #1153035)
34 lines
1.1 KiB
Diff
34 lines
1.1 KiB
Diff
From: Kevin Wolf <kwolf@redhat.com>
|
|
Date: Wed, 26 Mar 2014 13:05:37 +0100
|
|
Subject: [PATCH] vpc: Validate block size (CVE-2014-0142)
|
|
|
|
This fixes some cases of division by zero crashes.
|
|
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
Reviewed-by: Max Reitz <mreitz@redhat.com>
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
(cherry picked from commit 5e71dfad763d67bb64be79e20e93411c0c30ad25)
|
|
|
|
Conflicts:
|
|
tests/qemu-iotests/group
|
|
---
|
|
block/vpc.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/block/vpc.c b/block/vpc.c
|
|
index 16c5acf..a41a0ab 100644
|
|
--- a/block/vpc.c
|
|
+++ b/block/vpc.c
|
|
@@ -234,6 +234,11 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags)
|
|
}
|
|
|
|
s->block_size = be32_to_cpu(dyndisk_header->block_size);
|
|
+ if (!is_power_of_2(s->block_size) || s->block_size < BDRV_SECTOR_SIZE) {
|
|
+ fprintf(stderr, "Invalid block size %" PRIu32, s->block_size);
|
|
+ ret = -EINVAL;
|
|
+ goto fail;
|
|
+ }
|
|
s->bitmap_size = ((s->block_size / (8 * 512)) + 511) & ~511;
|
|
|
|
s->max_table_entries = be32_to_cpu(dyndisk_header->max_table_entries);
|