From 1e85e69fd6972d1990c6309dfa273ccd8b12d92a Mon Sep 17 00:00:00 2001 From: Max Reitz Date: Tue, 2 Dec 2014 18:32:50 +0100 Subject: [PATCH] qcow2: Prevent numerical overflow In qcow2_alloc_cluster_offset(), *num is limited to INT_MAX >> BDRV_SECTOR_BITS by all callers. However, since remaining is of type uint64_t, we might as well cast *num to that type before performing the shift. Cc: qemu-stable@nongnu.org Signed-off-by: Max Reitz Reviewed-by: Kevin Wolf Signed-off-by: Kevin Wolf (cherry picked from commit 11c89769dc3e638ef72915d97058411ddf79b64b) Signed-off-by: Michael Roth --- block/qcow2-cluster.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c index df0b2c9cec..1fea5142d0 100644 --- a/block/qcow2-cluster.c +++ b/block/qcow2-cluster.c @@ -1263,7 +1263,7 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset, again: start = offset; - remaining = *num << BDRV_SECTOR_BITS; + remaining = (uint64_t)*num << BDRV_SECTOR_BITS; cluster_offset = 0; *host_offset = 0; cur_bytes = 0; -- GitLab