qcow2: Fix header extension size check

After reading the extension header, offset is incremented, but not checked against end_offset any more. This way an integer overflow could happen when checking whether the extension end is within the allowed range, effectively disabling the check. This patch adds the missing check and a test case for it. Cc: qemu-stable@nongnu.org Reported-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Message-id: 1416935562-7760-2-git-send-email-kwolf@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
author: Kevin Wolf <kwolf@redhat.com> 2014-11-25 18:12:40 +0100
committer: Kevin Wolf <kwolf@redhat.com> 2014-12-10 10:31:13 +0100
commit: 2ebafc854d109ff09b66fb4dd62c2c53fc29754a (patch)
tree: 2647037960aee19ef9c07457a6e4b3bd93330ffa /block/qcow2.c
parent: 3dc7ca3c97dff8732e38828b38e0497efba0fedf (diff)
download: qemu-2ebafc854d109ff09b66fb4dd62c2c53fc29754a.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/block/qcow2.c b/block/qcow2.c
index d12049451a..8b9ffc4cc0 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -117,7 +117,7 @@ static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset,
 #ifdef DEBUG_EXT
         printf("ext.magic = 0x%x\n", ext.magic);
 #endif
-        if (ext.len > end_offset - offset) {
+        if (offset > end_offset || ext.len > end_offset - offset) {
             error_setg(errp, "Header extension too large");
             return -EINVAL;
         }
author	Kevin Wolf <kwolf@redhat.com>	2014-11-25 18:12:40 +0100
committer	Kevin Wolf <kwolf@redhat.com>	2014-12-10 10:31:13 +0100
commit	2ebafc854d109ff09b66fb4dd62c2c53fc29754a (patch)
tree	2647037960aee19ef9c07457a6e4b3bd93330ffa /block/qcow2.c
parent	3dc7ca3c97dff8732e38828b38e0497efba0fedf (diff)
download	qemu-2ebafc854d109ff09b66fb4dd62c2c53fc29754a.zip