From: Kevin Wolf Date: Thu, 5 Mar 2015 11:11:27 +0000 (+0000) Subject: bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147) X-Git-Tag: qemu-xen-4.4.3-rc1~17 X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=f2edd51682f1bf6a1fc5497feba0939d10b073e8;p=qemu-upstream-4.4-testing.git bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147) Gets us rid of integer overflows resulting in negative sizes which aren't correctly checked. Signed-off-by: Kevin Wolf Reviewed-by: Stefan Hajnoczi Reviewed-by: Max Reitz Signed-off-by: Stefan Hajnoczi Signed-off-by: Stefano Stabellini --- diff --git a/block/bochs.c b/block/bochs.c index d7078c077..69817650c 100644 --- a/block/bochs.c +++ b/block/bochs.c @@ -82,13 +82,13 @@ struct bochs_header { typedef struct BDRVBochsState { CoMutex lock; uint32_t *catalog_bitmap; - int catalog_size; + uint32_t catalog_size; - int data_offset; + uint32_t data_offset; - int bitmap_blocks; - int extent_blocks; - int extent_size; + uint32_t bitmap_blocks; + uint32_t extent_blocks; + uint32_t extent_size; } BDRVBochsState; static int bochs_probe(const uint8_t *buf, int buf_size, const char *filename) @@ -111,7 +111,7 @@ static int bochs_probe(const uint8_t *buf, int buf_size, const char *filename) static int bochs_open(BlockDriverState *bs, QDict *options, int flags) { BDRVBochsState *s = bs->opaque; - int i; + uint32_t i; struct bochs_header bochs; struct bochs_header_v1 header_v1; int ret; @@ -168,8 +168,8 @@ fail: static int64_t seek_to_sector(BlockDriverState *bs, int64_t sector_num) { BDRVBochsState *s = bs->opaque; - int64_t offset = sector_num * 512; - int64_t extent_index, extent_offset, bitmap_offset; + uint64_t offset = sector_num * 512; + uint64_t extent_index, extent_offset, bitmap_offset; char bitmap_entry; // seek to sector