From: Max Reitz <mreitz@redhat.com>
Date: Tue, 2 Dec 2014 17:32:50 +0000 (+0100)
Subject: qcow2: Prevent numerical overflow
X-Git-Tag: qemu-xen-4.6.0-rc1~34^2~45
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=1e85e69fd6972d1990c6309dfa273ccd8b12d92a;p=qemu-upstream-4.6-testing.git

qcow2: Prevent numerical overflow

In qcow2_alloc_cluster_offset(), *num is limited to
INT_MAX >> BDRV_SECTOR_BITS by all callers. However, since remaining is
of type uint64_t, we might as well cast *num to that type before
performing the shift.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 11c89769dc3e638ef72915d97058411ddf79b64b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index df0b2c9ce..1fea5142d 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -1263,7 +1263,7 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,
 
 again:
     start = offset;
-    remaining = *num << BDRV_SECTOR_BITS;
+    remaining = (uint64_t)*num << BDRV_SECTOR_BITS;
     cluster_offset = 0;
     *host_offset = 0;
     cur_bytes = 0;