From: Dmitry Frolov <frolov@swemel.ru>
Date: Wed, 6 Nov 2024 08:04:36 +0000 (+0300)
Subject: parallels: fix possible int overflow
X-Git-Tag: v9.2.0-rc2~6^2~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b62e82be06a97ce48d1363bb28e8215ab2487a20;p=thirdparty%2Fqemu.git

parallels: fix possible int overflow

The sum "cluster_index + count" may overflow uint32_t.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
Message-ID: <20241106080521.219255-2-frolov@swemel.ru>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---

diff --git a/block/parallels.c b/block/parallels.c
index 9205a0864fa..071b6dcaf8b 100644
--- a/block/parallels.c
+++ b/block/parallels.c
@@ -184,11 +184,11 @@ static int mark_used(BlockDriverState *bs, unsigned long *bitmap,
     BDRVParallelsState *s = bs->opaque;
     uint32_t cluster_index = host_cluster_index(s, off);
     unsigned long next_used;
-    if (cluster_index + count > bitmap_size) {
+    if ((uint64_t)cluster_index + count > bitmap_size) {
         return -E2BIG;
     }
     next_used = find_next_bit(bitmap, bitmap_size, cluster_index);
-    if (next_used < cluster_index + count) {
+    if (next_used < (uint64_t)cluster_index + count) {
         return -EBUSY;
     }
     bitmap_set(bitmap, cluster_index, count);