qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)

This ensures that the checks catch all invalid cluster indexes
instead of returning the refcount of a wrong cluster.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit db8a31d11d6a60f48d6817530640d75aa72a9a2f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 22dfb2d2b28df7773d613c3e4a2bb2158b52ad5f..57c1fbad9612d70b5591218bcd1c8eb33b6a7e60 100644 (file)
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -89,7 +89,7 @@ static int load_refcount_block(BlockDriverState *bs,
 static int get_refcount(BlockDriverState *bs, int64_t cluster_index)
 {
     BDRVQcowState *s = bs->opaque;
-    int refcount_table_index, block_index;
+    uint64_t refcount_table_index, block_index;
     int64_t refcount_block_offset;
     int ret;
     uint16_t *refcount_block;