From: Peter Krempa <pkrempa@redhat.com>
Date: Mon, 9 Sep 2024 14:46:09 +0000 (+0200)
Subject: virDiskNameParse: Fix integer overflow in disk name parsing
X-Git-Tag: v10.8.0-rc1~106
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e562b16edeb49e14464fa505679b0d0398311c04;p=thirdparty%2Flibvirt.git

virDiskNameParse: Fix integer overflow in disk name parsing

The conversion to index entails multiplication and accumulation by user
provided data which can easily overflow, use VIR_MULTIPLY_ADD_IS_OVERFLOW
to check if the string is valid.

Closes: https://gitlab.com/libvirt/libvirt/-/issues/674
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
---

diff --git a/src/util/virutil.c b/src/util/virutil.c
index dc5009f11d..6c89a48e51 100644
--- a/src/util/virutil.c
+++ b/src/util/virutil.c
@@ -338,11 +338,17 @@ int virDiskNameParse(const char *name, int *disk, int *partition)
         return -1;
 
     for (i = 0; *ptr; i++) {
+        int c = *ptr - 'a';
+
         if (!g_ascii_islower(*ptr))
             break;
 
-        idx = (idx + (i < 1 ? 0 : 1)) * 26;
-        idx += *ptr - 'a';
+        idx = (idx + (i < 1 ? 0 : 1));
+
+        if (VIR_MULTIPLY_ADD_IS_OVERFLOW(INT_MAX, idx, 26, c))
+            return -1;
+
+        idx = idx * 26 + c;
         ptr++;
     }