rpms/qemu
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
cd9d161514
qemu/0228-vmdk-Fix-possible-segfaults.patch
Cole Robinson cd9d161514 CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz 824919) 
Fix systemtap tapsets (bz 831763)
Fix qmp response race caused by spice server bug (bz 744015)
Fix text mode screendumps (bz 819155)
Don't renable ksm on update (bz 815156)
Fix RPM install error on non-virt machines (bz 660629)
Obsolete openbios to fix upgrade dependency issues (bz 694802)
2012-07-29 21:15:19 -04:00

56 lines
1.6 KiB
Diff
Raw Blame History

From f51851ea928882bd3d49cbb6d953723294239d8a Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 26 Oct 2011 12:25:52 +0200
Subject: [PATCH] vmdk: Fix possible segfaults
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Data we read from the disk isn't necessarily null terminated and may not
contain the string we're looking for. The code needs to be a bit more careful
here.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 93897b9fd43548e9c15cf8bece2d9e5174b01fc7)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
block/vmdk.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/block/vmdk.c b/block/vmdk.c
index 8284747..f4fce08 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -196,6 +196,7 @@ static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent)
cid_str_size = sizeof("CID");
}
+ desc[DESC_SIZE - 1] = '\0';
p_name = strstr(desc, cid_str);
if (p_name != NULL) {
p_name += cid_str_size;
@@ -212,13 +213,17 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid)
BDRVVmdkState *s = bs->opaque;
int ret;
- memset(desc, 0, sizeof(desc));
ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE);
if (ret < 0) {
return ret;
}
+ desc[DESC_SIZE - 1] = '\0';
tmp_str = strstr(desc, "parentCID");
+ if (tmp_str == NULL) {
+ return -EINVAL;
+ }
+
pstrcpy(tmp_desc, sizeof(tmp_desc), tmp_str);
p_name = strstr(desc, "CID");
if (p_name != NULL) {
--
1.7.11.2
Reference in New Issue View Git Blame Copy Permalink