storage: avoid mishandling backing store > 2GB

Detected by Coverity. The code was doing math on shifted unsigned char (which promotes to int), then promoting that to unsigned long during assignment to size. On 64-bit platforms, this risks sign extending values of size > 2GiB. Bug present since commit 489fd3 (v0.6.0). I'm not sure if a specially-crafted bogus qcow2 image could exploit this, although it's probably not possible, since we were already checking for the computed results being within range of our fixed-size buffer. * src/util/storage_file.c (qcowXGetBackingStore): Avoid sign extension.

storage: avoid mishandling backing store > 2GB
Detected by Coverity. The code was doing math on shifted unsigned char (which promotes to int), then promoting that to unsigned long during assignment to size. On 64-bit platforms, this risks sign extending values of size > 2GiB. Bug present since commit 489fd3 (v0.6.0). I'm not sure if a specially-crafted bogus qcow2 image could exploit this, although it's probably not possible, since we were already checking for the computed results being within range of our fixed-size buffer. * src/util/storage_file.c (qcowXGetBackingStore): Avoid sign extension.
54456cc0 · Eric Blake · 28ea3bf3 · 54456cc0
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

src/util/storage_file.c src/util/storage_file.c +1 -1

未找到文件。
--- a/src/util/storage_file.c
+++ b/src/util/storage_file.c
@@ -274,7 +274,7 @@ qcowXGetBackingStore(char **res,
                     bool isQCow2)
 {
    unsigned long long offset;
-    unsigned long size;
+    unsigned int size;

    *res = NULL;
    if (format)