From 715c3f60efa9801a777a71cd06eaf8efa7eaa2a8 Mon Sep 17 00:00:00 2001 From: Kevin Wolf Date: Wed, 9 Apr 2014 12:10:34 +0200 Subject: bochs: Fix catalog size check The old check was off by a factor of 512 and didn't consider cases where we don't get an exact division. This could lead to an out-of-bounds array access in seek_to_sector(). Signed-off-by: Kevin Wolf Reviewed-by: Laszlo Ersek --- block/bochs.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'block/bochs.c') diff --git a/block/bochs.c b/block/bochs.c index 50b84a91f3..eacf956e7d 100644 --- a/block/bochs.c +++ b/block/bochs.c @@ -148,8 +148,14 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags, s->extent_blocks = 1 + (le32_to_cpu(bochs.extent) - 1) / 512; s->extent_size = le32_to_cpu(bochs.extent); - if (s->extent_size == 0) { - error_setg(errp, "Extent size may not be zero"); + if (s->extent_size < BDRV_SECTOR_SIZE) { + /* bximage actually never creates extents smaller than 4k */ + error_setg(errp, "Extent size must be at least 512"); + ret = -EINVAL; + goto fail; + } else if (!is_power_of_2(s->extent_size)) { + error_setg(errp, "Extent size %" PRIu32 " is not a power of two", + s->extent_size); ret = -EINVAL; goto fail; } else if (s->extent_size > 0x800000) { @@ -159,7 +165,9 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags, goto fail; } - if (s->catalog_size < bs->total_sectors / s->extent_size) { + if (s->catalog_size < DIV_ROUND_UP(bs->total_sectors, + s->extent_size / BDRV_SECTOR_SIZE)) + { error_setg(errp, "Catalog size is too small for this disk size"); ret = -EINVAL; goto fail; -- cgit v1.2.1