git.ipfire.org Git - thirdparty/qemu.git/commit

author	Stefan Hajnoczi <stefanha@redhat.com>
	Wed, 26 Mar 2014 12:06:00 +0000 (13:06 +0100)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Thu, 3 Jul 2014 21:18:13 +0000 (16:18 -0500)
commit	b6f7fbdd1d9e27822e829e983fb6f907576a24e4
tree	36d7715515bcc2b4abb94446738e3786ad79d099	tree
parent	d400b5dc4acaa883d8e856a137c37f7aea1b2707	commit \| diff

dmg: prevent chunk buffer overflow (CVE-2014-0145)

Both compressed and uncompressed I/O is buffered.  dmg_open() calculates
the maximum buffer size needed from the metadata in the image file.

There is currently a buffer overflow since ->lengths[] is accounted
against the maximum compressed buffer size but actually uses the
uncompressed buffer:

  switch (s->types[chunk]) {
  case 1: /* copy */
      ret = bdrv_pread(bs->file, s->offsets[chunk],
                       s->uncompressed_chunk, s->lengths[chunk]);

We must account against the maximum uncompressed buffer size for type=1
chunks.

This patch fixes the maximum buffer size calculation to take into
account the chunk type.  It is critical that we update the correct
maximum since there are two buffers ->compressed_chunk and
->uncompressed_chunk.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit f0dce23475b5af5da6b17b97c1765271307734b6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>