From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42768) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Yvoqm-0004eS-03 for qemu-devel@nongnu.org; Fri, 22 May 2015 11:27:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Yvoql-0006m9-A7 for qemu-devel@nongnu.org; Fri, 22 May 2015 11:27:03 -0400 From: Kevin Wolf Date: Fri, 22 May 2015 17:26:31 +0200 Message-Id: <1432308400-13958-14-git-send-email-kwolf@redhat.com> In-Reply-To: <1432308400-13958-1-git-send-email-kwolf@redhat.com> References: <1432308400-13958-1-git-send-email-kwolf@redhat.com> Subject: [Qemu-devel] [PULL 13/22] block: Detect multiplication overflow in bdrv_getlength List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-block@nongnu.org Cc: kwolf@redhat.com, qemu-devel@nongnu.org From: Fam Zheng Bogus image may have a large total_sectors that will overflow the multiplication. For cleanness, fix the return code so the error message will be meaningful. Reported-by: Richard W.M. Jones Signed-off-by: Fam Zheng Reviewed-by: Alberto Garcia Reviewed-by: Markus Armbruster Signed-off-by: Kevin Wolf --- block.c | 1 + 1 file changed, 1 insertion(+) diff --git a/block.c b/block.c index 325f727..f42d70e 100644 --- a/block.c +++ b/block.c @@ -2341,6 +2341,7 @@ int64_t bdrv_getlength(BlockDriverState *bs) { int64_t ret = bdrv_nb_sectors(bs); + ret = ret > INT64_MAX / BDRV_SECTOR_SIZE ? -EFBIG : ret; return ret < 0 ? ret : ret * BDRV_SECTOR_SIZE; } -- 1.8.3.1