From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35974) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YtAhu-0000PM-DK for qemu-devel@nongnu.org; Fri, 15 May 2015 04:11:02 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YtAht-0007Wz-Fi for qemu-devel@nongnu.org; Fri, 15 May 2015 04:10:58 -0400 From: Markus Armbruster References: <1431653951-28178-1-git-send-email-famz@redhat.com> <1431653951-28178-2-git-send-email-famz@redhat.com> Date: Fri, 15 May 2015 10:10:47 +0200 In-Reply-To: <1431653951-28178-2-git-send-email-famz@redhat.com> (Fam Zheng's message of "Fri, 15 May 2015 09:39:10 +0800") Message-ID: <87twventvc.fsf@blackfin.pond.sub.org> MIME-Version: 1.0 Content-Type: text/plain Subject: Re: [Qemu-devel] [PATCH 1/2] block: Detect multiplication overflow in bdrv_getlength List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Fam Zheng Cc: Kevin Wolf , qemu-devel@nongnu.org, qemu-block@nongnu.org Fam Zheng writes: > Bogus image may have a large total_sectors that will overflow the > multiplication. For cleanness, fix the return code so the error message > will be meaningful. > > Reported-by: Richard W.M. Jones > Signed-off-by: Fam Zheng > --- > block.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/block.c b/block.c > index 7904098..5ee3fdf 100644 > --- a/block.c > +++ b/block.c > @@ -2330,6 +2330,7 @@ int64_t bdrv_getlength(BlockDriverState *bs) > { > int64_t ret = bdrv_nb_sectors(bs); > > + ret = (int64_t)(ret * BDRV_SECTOR_SIZE) < 0 ? -EFBIG : ret; > return ret < 0 ? ret : ret * BDRV_SECTOR_SIZE; > } Signed integer overflow is undefined behavior. Your code works just fine on any remotely sane machine, *except* when the optimizer decides to use its undefined behavior license to mess with you. A more prudent way to test for overflow would be something like ret > INT64_MAX / BDRV_SECTOR_SIZE