block/dmg: validate chunk size to avoid overflow

Previously the chunk size was not checked, allowing for a large memory allocation. This patch checks whether the chunks size is within the resource fork length, and whether the resource fork is below the trailer of the dmg file. Signed-off-by: N Peter Wu <peter@lekensteyn.nl> Reviewed-by: N John Snow <jsnow@redhat.com> Message-id: 1420566495-13284-6-git-send-email-peter@lekensteyn.nl Signed-off-by: N Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: N Kevin Wolf <kwolf@redhat.com>

block/dmg: validate chunk size to avoid overflow
Previously the chunk size was not checked, allowing for a large memory allocation. This patch checks whether the chunks size is within the resource fork length, and whether the resource fork is below the trailer of the dmg file. Signed-off-by: N Peter Wu <peter@lekensteyn.nl> Reviewed-by: N John Snow <jsnow@redhat.com> Message-id: 1420566495-13284-6-git-send-email-peter@lekensteyn.nl Signed-off-by: N Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: N Kevin Wolf <kwolf@redhat.com>
f6e6652d · Peter Wu · Kevin Wolf · 7aee37b9 · f6e6652d
隐藏空白更改
内联并排

Showing with 6 addition and 1 deletion

block/dmg.c block/dmg.c +6 -1

未找到文件。
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -317,7 +317,7 @@ static int dmg_read_resource_fork(BlockDriverState *bs, DmgHeaderState *ds,
        ret = read_uint32(bs, offset, &count);
        if (ret < 0) {
            goto fail;
-        } else if (count == 0) {
+        } else if (count == 0 || count > info_end - offset) {
            ret = -EINVAL;
            goto fail;
        }
@@ -377,6 +377,11 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags,
    if (ret < 0) {
        goto fail;
    }
+    if (rsrc_fork_offset >= offset ||
+        rsrc_fork_length > offset - rsrc_fork_offset) {
+        ret = -EINVAL;
+        goto fail;
+    }
    if (rsrc_fork_length != 0) {
        ret = dmg_read_resource_fork(bs, &ds,
                                     rsrc_fork_offset, rsrc_fork_length);