From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33904) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Yl6XM-0002PD-OD for qemu-devel@nongnu.org; Wed, 22 Apr 2015 22:06:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Yl6XI-0007y4-BZ for qemu-devel@nongnu.org; Wed, 22 Apr 2015 22:06:44 -0400 Received: from e23smtp01.au.ibm.com ([202.81.31.143]:57076) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Yl6XH-0007xl-NG for qemu-devel@nongnu.org; Wed, 22 Apr 2015 22:06:40 -0400 Received: from /spool/local by e23smtp01.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 23 Apr 2015 12:06:37 +1000 Received: from d23relay09.au.ibm.com (d23relay09.au.ibm.com [9.185.63.181]) by d23dlp03.au.ibm.com (Postfix) with ESMTP id A31FA3578048 for ; Thu, 23 Apr 2015 12:06:35 +1000 (EST) Received: from d23av01.au.ibm.com (d23av01.au.ibm.com [9.190.234.96]) by d23relay09.au.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id t3N26RQk16515118 for ; Thu, 23 Apr 2015 12:06:35 +1000 Received: from d23av01.au.ibm.com (localhost [127.0.0.1]) by d23av01.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id t3N262XN021179 for ; Thu, 23 Apr 2015 12:06:02 +1000 From: Bo Tu Date: Thu, 23 Apr 2015 10:05:25 +0800 Message-Id: <1429754727-11263-6-git-send-email-tubo@linux.vnet.ibm.com> In-Reply-To: <1429754727-11263-1-git-send-email-tubo@linux.vnet.ibm.com> References: <1429754727-11263-1-git-send-email-tubo@linux.vnet.ibm.com> Subject: [Qemu-devel] [PATCH RFC v7 5/7] qemu-iotests: s390x: fix test 049 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: kwolf@redhat.com, mreitz@redhat.com, armbru@redhat.com, mimu@linux.vnet.ibm.com when creating an image qemu-img enable us specifying the size of the image using -o size=xx options. But when we specify an invalid size such as a negtive size then different platform gives different result. parse_option_size() function in util/qemu-option.c will be called to parse the size, a cast was called in the function to cast the input (saved as a double in the function) size to an unsigned int64 value, when the input is a negtive value or exceeds the maximum of uint64, then the result is undefined. Language spec 6.3.1.4 Real floating and integers: the result of this assignment/cast is undefined if the float is not in the open interval (-1, U_MAX+1). Signed-off-by: Xiao Guang Chen --- tests/qemu-iotests/049.out | 10 ++++------ util/qemu-option.c | 5 +++++ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/tests/qemu-iotests/049.out b/tests/qemu-iotests/049.out index 9f93666..75d90b2 100644 --- a/tests/qemu-iotests/049.out +++ b/tests/qemu-iotests/049.out @@ -95,17 +95,15 @@ qemu-img create -f qcow2 TEST_DIR/t.qcow2 -- -1024 qemu-img: Image size must be less than 8 EiB! qemu-img create -f qcow2 -o size=-1024 TEST_DIR/t.qcow2 -qemu-img: qcow2 doesn't support shrinking images yet -qemu-img: TEST_DIR/t.qcow2: Could not resize image: Operation not supported -Formatting 'TEST_DIR/t.qcow2', fmt=qcow2 size=-1024 encryption=off cluster_size=65536 lazy_refcounts=off refcount_bits=16 +qemu-img: Parameter 'size' expects a positive number and must not exceeds the maximum UINT64 +qemu-img: TEST_DIR/t.qcow2: Invalid options for file format 'qcow2' qemu-img create -f qcow2 TEST_DIR/t.qcow2 -- -1k qemu-img: Image size must be less than 8 EiB! qemu-img create -f qcow2 -o size=-1k TEST_DIR/t.qcow2 -qemu-img: qcow2 doesn't support shrinking images yet -qemu-img: TEST_DIR/t.qcow2: Could not resize image: Operation not supported -Formatting 'TEST_DIR/t.qcow2', fmt=qcow2 size=-1024 encryption=off cluster_size=65536 lazy_refcounts=off refcount_bits=16 +qemu-img: Parameter 'size' expects a positive number and must not exceeds the maximum UINT64 +qemu-img: TEST_DIR/t.qcow2: Invalid options for file format 'qcow2' qemu-img create -f qcow2 TEST_DIR/t.qcow2 -- 1kilobyte qemu-img: Invalid image size specified! You may use k, M, G, T, P or E suffixes for diff --git a/util/qemu-option.c b/util/qemu-option.c index fda4e5f..1c50fa4 100644 --- a/util/qemu-option.c +++ b/util/qemu-option.c @@ -179,6 +179,11 @@ void parse_option_size(const char *name, const char *value, if (value != NULL) { sizef = strtod(value, &postfix); + if (sizef < 0 || sizef > UINT64_MAX) { + error_set(errp, QERR_INVALID_PARAMETER_VALUE, name, "a positive " + "number and must not exceeds the maximum UINT64"); + return; + } switch (*postfix) { case 'T': sizef *= 1024; -- 2.3.0