diff options
| author | Stefan Hajnoczi <stefanha@redhat.com> | 2014-03-26 13:06:00 +0100 |
|---|---|---|
| committer | Stefan Hajnoczi <stefanha@redhat.com> | 2014-04-01 15:22:35 +0200 |
| commit | f0dce23475b5af5da6b17b97c1765271307734b6 (patch) | |
| tree | 10413067d5ef5cdf10cfdd61ba02c0e87b3afa1a /qapi/string-output-visitor.c | |
| parent | 686d7148ec23402a172628c800022b3a95a022c9 (diff) | |
| download | qemu-f0dce23475b5af5da6b17b97c1765271307734b6.zip | |
dmg: prevent chunk buffer overflow (CVE-2014-0145)
Both compressed and uncompressed I/O is buffered. dmg_open() calculates
the maximum buffer size needed from the metadata in the image file.
There is currently a buffer overflow since ->lengths[] is accounted
against the maximum compressed buffer size but actually uses the
uncompressed buffer:
switch (s->types[chunk]) {
case 1: /* copy */
ret = bdrv_pread(bs->file, s->offsets[chunk],
s->uncompressed_chunk, s->lengths[chunk]);
We must account against the maximum uncompressed buffer size for type=1
chunks.
This patch fixes the maximum buffer size calculation to take into
account the chunk type. It is critical that we update the correct
maximum since there are two buffers ->compressed_chunk and
->uncompressed_chunk.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'qapi/string-output-visitor.c')
0 files changed, 0 insertions, 0 deletions