git.ipfire.org Git - thirdparty/qemu.git/commit

author	Stefan Hajnoczi <stefanha@redhat.com>
	Wed, 26 Mar 2014 12:05:28 +0000 (13:05 +0100)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Thu, 3 Jul 2014 21:18:10 +0000 (16:18 -0500)
commit	0fda3e2d639fee7c3262485c48c3b5fd6c9b4114
tree	9ee28c276c0f00cce511601254b7c6dca88cc696	tree
parent	7dcffbb2bfcb38c98cff911cd002c09e9326e3cc	commit \| diff

block/cloop: refuse images with bogus offsets (CVE-2014-0144)

The offsets[] array allows efficient seeking and tells us the maximum
compressed data size. If the offsets are bogus the maximum compressed
data size will be unrealistic.

This could cause g_malloc() to abort and bogus offsets mean the image is
broken anyway. Therefore we should refuse such images.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit f56b9bc3ae20fc93815b34aa022be919941406ce)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

block/cloop.c		diff \| blob \| blame \| history
tests/qemu-iotests/075		diff \| blob \| blame \| history
tests/qemu-iotests/075.out		diff \| blob \| blame \| history