From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 26 Mar 2014 12:05:53 +0000 (+0100)
Subject: qcow2: Fix new L1 table size check (CVE-2014-0143)
X-Git-Tag: v1.7.2~55
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3c6347ce8c3edc677c95da437bd40321e6d57b00;p=thirdparty%2Fqemu.git

qcow2: Fix new L1 table size check (CVE-2014-0143)

The size in bytes is assigned to an int later, so check that instead of
the number of entries.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit cab60de930684c33f67d4e32c7509b567f8c445b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 791083a0efa..64a7ee60b80 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -55,7 +55,7 @@ int qcow2_grow_l1_table(BlockDriverState *bs, uint64_t min_size,
         }
     }
 
-    if (new_l1_size > INT_MAX) {
+    if (new_l1_size > INT_MAX / sizeof(uint64_t)) {
         return -EFBIG;
     }