summaryrefslogtreecommitdiff
path: root/tests/qemu-iotests/group
diff options
context:
space:
mode:
authorStefan Hajnoczi <stefanha@redhat.com>2014-03-26 13:06:00 +0100
committerStefan Hajnoczi <stefanha@redhat.com>2014-04-01 15:22:35 +0200
commitf0dce23475b5af5da6b17b97c1765271307734b6 (patch)
tree10413067d5ef5cdf10cfdd61ba02c0e87b3afa1a /tests/qemu-iotests/group
parent686d7148ec23402a172628c800022b3a95a022c9 (diff)
downloadqemu-f0dce23475b5af5da6b17b97c1765271307734b6.zip
dmg: prevent chunk buffer overflow (CVE-2014-0145)
Both compressed and uncompressed I/O is buffered. dmg_open() calculates the maximum buffer size needed from the metadata in the image file. There is currently a buffer overflow since ->lengths[] is accounted against the maximum compressed buffer size but actually uses the uncompressed buffer: switch (s->types[chunk]) { case 1: /* copy */ ret = bdrv_pread(bs->file, s->offsets[chunk], s->uncompressed_chunk, s->lengths[chunk]); We must account against the maximum uncompressed buffer size for type=1 chunks. This patch fixes the maximum buffer size calculation to take into account the chunk type. It is critical that we update the correct maximum since there are two buffers ->compressed_chunk and ->uncompressed_chunk. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'tests/qemu-iotests/group')
0 files changed, 0 insertions, 0 deletions