thebeanogamer / rpms / qemu-kvm

Forked from rpms/qemu-kvm 5 months ago
Clone

Blame SOURCES/kvm-dmg-prevent-out-of-bounds-array-access-on-terminator.patch

0a122b
From bf5a2fd38203f176501ad891da1e7ea19da1673a Mon Sep 17 00:00:00 2001
0a122b
From: Stefan Hajnoczi <stefanha@redhat.com>
0a122b
Date: Tue, 25 Mar 2014 14:23:41 +0100
0a122b
Subject: [PATCH 34/49] dmg: prevent out-of-bounds array access on terminator
0a122b
0a122b
RH-Author: Kevin Wolf <kwolf@redhat.com>
0a122b
Message-id: <1395753835-7591-35-git-send-email-kwolf@redhat.com>
0a122b
Patchwork-id: n/a
0a122b
O-Subject: [virt-devel] [EMBARGOED RHEL-7.0 qemu-kvm PATCH 34/48] dmg: prevent out-of-bounds array access on terminator
0a122b
Bugzilla: 1066691
0a122b
RH-Acked-by: Jeff Cody <jcody@redhat.com>
0a122b
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
0a122b
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
0a122b
0a122b
From: Stefan Hajnoczi <stefanha@redhat.com>
0a122b
0a122b
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1066691
0a122b
Upstream status: Series embargoed
0a122b
0a122b
When a terminator is reached the base for offsets and sectors is stored.
0a122b
The following records that are processed will use this base value.
0a122b
0a122b
If the first record we encounter is a terminator, then calculating the
0a122b
base values would result in out-of-bounds array accesses. Don't do
0a122b
that.
0a122b
0a122b
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
0a122b
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
0a122b
---
0a122b
 block/dmg.c |    2 +-
0a122b
 1 files changed, 1 insertions(+), 1 deletions(-)
0a122b
0a122b
diff --git a/block/dmg.c b/block/dmg.c
0a122b
index be2f26e..f4f3e8e 100644
0a122b
--- a/block/dmg.c
0a122b
+++ b/block/dmg.c
0a122b
@@ -182,7 +182,7 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags,
0a122b
                 offset += 4;
0a122b
                 if (s->types[i] != 0x80000005 && s->types[i] != 1 &&
0a122b
                     s->types[i] != 2) {
0a122b
-                    if (s->types[i] == 0xffffffff) {
0a122b
+                    if (s->types[i] == 0xffffffff && i > 0) {
0a122b
                         last_in_offset = s->offsets[i - 1] + s->lengths[i - 1];
0a122b
                         last_out_offset = s->sectors[i - 1] +
0a122b
                                           s->sectorcounts[i - 1];
0a122b
-- 
0a122b
1.7.1
0a122b