qcow2: Prevent numerical overflow

In qcow2_alloc_cluster_offset(), *num is limited to INT_MAX >> BDRV_SECTOR_BITS by all callers. However, since remaining is of type uint64_t, we might as well cast *num to that type before performing the shift. Cc: qemu-stable@nongnu.org Signed-off-by: N Max Reitz <mreitz@redhat.com> Reviewed-by: N Kevin Wolf <kwolf@redhat.com> Signed-off-by: N Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 11c89769) Signed-off-by: N Michael Roth <mdroth@linux.vnet.ibm.com>

qcow2: Prevent numerical overflow
In qcow2_alloc_cluster_offset(), *num is limited to INT_MAX >> BDRV_SECTOR_BITS by all callers. However, since remaining is of type uint64_t, we might as well cast *num to that type before performing the shift. Cc: qemu-stable@nongnu.org Signed-off-by: N Max Reitz <mreitz@redhat.com> Reviewed-by: N Kevin Wolf <kwolf@redhat.com> Signed-off-by: N Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 11c89769) Signed-off-by: N Michael Roth <mdroth@linux.vnet.ibm.com>
1e85e69f · Max Reitz · Michael Roth · ff15187e · 1e85e69f
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

block/qcow2-cluster.c block/qcow2-cluster.c +1 -1

未找到文件。
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -1263,7 +1263,7 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,

 again:
    start = offset;
-    remaining = *num << BDRV_SECTOR_BITS;
+    remaining = (uint64_t)*num << BDRV_SECTOR_BITS;
    cluster_offset = 0;
    *host_offset = 0;
    cur_bytes = 0;