parallels: Fix catalog size integer overflow (CVE-2014-0143)

The first test case would cause a huge memory allocation, leading to a qemu abort; the second one to a too small malloc() for the catalog (smaller than s->catalog_size), which causes a read-only out-of-bounds array access and on big endian hosts an endianess conversion for an undefined memory area. The sample image used here is not an original Parallels image. It was created using an hexeditor on the basis of the struct that qemu uses. Good enough for trying to crash the driver, but not for ensuring compatibility. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
author: Kevin Wolf <kwolf@redhat.com> 2014-03-26 13:06:08 +0100
committer: Stefan Hajnoczi <stefanha@redhat.com> 2014-04-01 15:22:35 +0200
commit: afbcc40bee4ef51731102d7d4b499ee12fc182e1 (patch)
tree: 35f637ffc51bffdf6a01dd6478ccae2a0a2bcb1e /tests/qemu-iotests/group
parent: 5dae6e30c531feb31eed99f9039b52bf70832ce3 (diff)
download: qemu-afbcc40bee4ef51731102d7d4b499ee12fc182e1.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
index c51640c67e..864643d256 100644
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@@ -82,6 +82,7 @@
 073 rw auto quick
 074 rw auto quick
 075 rw auto
+076 auto
 077 rw auto quick
 078 rw auto
 079 rw auto
author	Kevin Wolf <kwolf@redhat.com>	2014-03-26 13:06:08 +0100
committer	Stefan Hajnoczi <stefanha@redhat.com>	2014-04-01 15:22:35 +0200
commit	afbcc40bee4ef51731102d7d4b499ee12fc182e1 (patch)
tree	35f637ffc51bffdf6a01dd6478ccae2a0a2bcb1e /tests/qemu-iotests/group
parent	5dae6e30c531feb31eed99f9039b52bf70832ce3 (diff)
download	qemu-afbcc40bee4ef51731102d7d4b499ee12fc182e1.tar.gz