storage: avoid mishandling backing store > 2GB

Detected by Coverity.  The code was doing math on shifted unsigned
char (which promotes to int), then promoting that to unsigned long
during assignment to size.  On 64-bit platforms, this risks sign
extending values of size > 2GiB.  Bug present since commit
489fd3 (v0.6.0).

I'm not sure if a specially-crafted bogus qcow2 image could
exploit this, although it's probably not possible, since we
were already checking for the computed results being within
range of our fixed-size buffer.

* src/util/storage_file.c (qcowXGetBackingStore): Avoid sign
extension.

diff --git a/src/util/storage_file.c b/src/util/storage_file.c
index 6b3b756362ce5d916678c2b17453d58b708f3ffc..06cabc8b5a3c5239b3ed2302b23e9a9ba71b4818 100644 (file)
--- a/src/util/storage_file.c
+++ b/src/util/storage_file.c
@@ -274,7 +274,7 @@ qcowXGetBackingStore(char **res,
                      bool isQCow2)
 {
     unsigned long long offset;
-    unsigned long size;
+    unsigned int size;
 
     *res = NULL;
     if (format)