qcow2: Prevent numerical overflow

In qcow2_alloc_cluster_offset(), *num is limited to INT_MAX >> BDRV_SECTOR_BITS by all callers. However, since remaining is of type uint64_t, we might as well cast *num to that type before performing the shift. Cc: qemu-stable@nongnu.org Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 11c89769dc3e638ef72915d97058411ddf79b64b) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
author: Max Reitz <mreitz@redhat.com> 2014-12-02 18:32:50 +0100
committer: Michael Roth <mdroth@linux.vnet.ibm.com> 2015-01-07 15:11:53 -0600
commit: 175117c1592cdc9de8174b64e90e3dff22087d8e (patch)
tree: f4e80a2d49e54f91d632782b04597187840aeb5b
parent: aa58eedb35793e03584523d2d064f83bc45b67d1 (diff)
download: qemu-175117c1592cdc9de8174b64e90e3dff22087d8e.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 26827a2746..769e68df28 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -1202,7 +1202,7 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,
 
 again:
     start = offset;
-    remaining = *num << BDRV_SECTOR_BITS;
+    remaining = (uint64_t)*num << BDRV_SECTOR_BITS;
     cluster_offset = 0;
     *host_offset = 0;
     cur_bytes = 0;
author	Max Reitz <mreitz@redhat.com>	2014-12-02 18:32:50 +0100
committer	Michael Roth <mdroth@linux.vnet.ibm.com>	2015-01-07 15:11:53 -0600
commit	175117c1592cdc9de8174b64e90e3dff22087d8e (patch)
tree	f4e80a2d49e54f91d632782b04597187840aeb5b
parent	aa58eedb35793e03584523d2d064f83bc45b67d1 (diff)
download	qemu-175117c1592cdc9de8174b64e90e3dff22087d8e.tar.gz