From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52482) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WQBj6-0008Kc-HK for qemu-devel@nongnu.org; Wed, 19 Mar 2014 04:20:01 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WQBix-0007DO-Ua for qemu-devel@nongnu.org; Wed, 19 Mar 2014 04:19:52 -0400 From: Deepak Kathayat Date: Wed, 19 Mar 2014 16:19:33 +0800 Message-Id: <1395217173-20902-1-git-send-email-deepak.mk17@gmail.com> Subject: [Qemu-devel] [PATCH] qcow2.c: Check if backing file name length is valid List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: qemu-trivial@nongnu.org, Deepak Kathayat , stefanha@redhat.com Signed-off-by: Deepak Kathayat --- The len variable is a signed integer whereas the backing file name length in the image header is unsigned. Therefore, it may overflow. Furthermore, backing file name length cannot be zero. These two cases must be handled explicitly. block/qcow2.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/block/qcow2.c b/block/qcow2.c index 945c9d6..7b6f65c 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -625,6 +625,11 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, /* read the backing file name */ if (header.backing_file_offset != 0) { len = header.backing_file_size; + if (len <= 0) { + error_setg(errp, "Invalid backing file name length: %d", len); + ret = -EINVAL; + goto fail; + } if (len > 1023) { len = 1023; } -- 1.7.9.5