qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)

This avoids an unbounded allocation. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
author: Kevin Wolf <kwolf@redhat.com> 2014-03-26 13:06:06 +0100
committer: Stefan Hajnoczi <stefanha@redhat.com> 2014-04-01 15:22:35 +0200
commit: 6a83f8b5bec6f59e56cc49bd49e4c3f8f805d56f (patch)
tree: 4063692109e5f06ece922daad860641ec0fe8421 /block/qcow2-snapshot.c
parent: c05e4667be91b46ab42b5a11babf8e84d476cc6b (diff)
download: qemu-6a83f8b5bec6f59e56cc49bd49e4c3f8f805d56f.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/block/qcow2-snapshot.c b/block/qcow2-snapshot.c
index 715168e31f..5db4f30c82 100644
--- a/block/qcow2-snapshot.c
+++ b/block/qcow2-snapshot.c
@@ -680,6 +680,10 @@ int qcow2_snapshot_load_tmp(BlockDriverState *bs,
     sn = &s->snapshots[snapshot_index];
 
     /* Allocate and read in the snapshot's L1 table */
+    if (sn->l1_size > QCOW_MAX_L1_SIZE) {
+        error_setg(errp, "Snapshot L1 table too large");
+        return -EFBIG;
+    }
     new_l1_bytes = sn->l1_size * sizeof(uint64_t);
     new_l1_table = g_malloc0(align_offset(new_l1_bytes, 512));
author	Kevin Wolf <kwolf@redhat.com>	2014-03-26 13:06:06 +0100
committer	Stefan Hajnoczi <stefanha@redhat.com>	2014-04-01 15:22:35 +0200
commit	6a83f8b5bec6f59e56cc49bd49e4c3f8f805d56f (patch)
tree	4063692109e5f06ece922daad860641ec0fe8421 /block/qcow2-snapshot.c
parent	c05e4667be91b46ab42b5a11babf8e84d476cc6b (diff)
download	qemu-6a83f8b5bec6f59e56cc49bd49e4c3f8f805d56f.tar.gz