From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:59842) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S2lFF-0005nb-F2 for qemu-devel@nongnu.org; Wed, 29 Feb 2012 10:15:23 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1S2lF5-0003Yb-ES for qemu-devel@nongnu.org; Wed, 29 Feb 2012 10:15:09 -0500 Received: from mx1.redhat.com ([209.132.183.28]:45984) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S2lF5-0003WJ-6X for qemu-devel@nongnu.org; Wed, 29 Feb 2012 10:14:59 -0500 From: Kevin Wolf Date: Wed, 29 Feb 2012 16:17:57 +0100 Message-Id: <1330528688-21996-17-git-send-email-kwolf@redhat.com> In-Reply-To: <1330528688-21996-1-git-send-email-kwolf@redhat.com> References: <1330528688-21996-1-git-send-email-kwolf@redhat.com> Subject: [Qemu-devel] [PATCH 16/27] qcow2: Reject too large header extensions List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: anthony@codemonkey.ws Cc: kwolf@redhat.com, qemu-devel@nongnu.org Image files that make qemu-img info read several gigabytes into the unknown header extensions list are bad. Just fail opening the image if an extension claims to be larger than the header extension area. Signed-off-by: Kevin Wolf Reviewed-by: Stefan Hajnoczi --- block/qcow2.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/block/qcow2.c b/block/qcow2.c index f68f0e1..eb5ea48 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -108,6 +108,11 @@ static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset, #ifdef DEBUG_EXT printf("ext.magic = 0x%x\n", ext.magic); #endif + if (ext.len > end_offset - offset) { + error_report("Header extension too large"); + return -EINVAL; + } + switch (ext.magic) { case QCOW2_EXT_MAGIC_END: return 0; -- 1.7.6.5