29 lines
1.0 KiB
Diff
29 lines
1.0 KiB
Diff
From: Kevin Wolf <kwolf@redhat.com>
|
|
Date: Wed, 26 Mar 2014 13:05:49 +0100
|
|
Subject: [PATCH] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)
|
|
|
|
This ensures that the checks catch all invalid cluster indexes
|
|
instead of returning the refcount of a wrong cluster.
|
|
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
Reviewed-by: Max Reitz <mreitz@redhat.com>
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
(cherry picked from commit db8a31d11d6a60f48d6817530640d75aa72a9a2f)
|
|
---
|
|
block/qcow2-refcount.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
|
|
index d784dd6..3e473bd 100644
|
|
--- a/block/qcow2-refcount.c
|
|
+++ b/block/qcow2-refcount.c
|
|
@@ -87,7 +87,7 @@ static int load_refcount_block(BlockDriverState *bs,
|
|
static int get_refcount(BlockDriverState *bs, int64_t cluster_index)
|
|
{
|
|
BDRVQcowState *s = bs->opaque;
|
|
- int refcount_table_index, block_index;
|
|
+ uint64_t refcount_table_index, block_index;
|
|
int64_t refcount_block_offset;
|
|
int ret;
|
|
uint16_t *refcount_block;
|