thebeanogamer / rpms / qemu-kvm

Forked from rpms/qemu-kvm 5 months ago
Clone

Blame SOURCES/kvm-dmg-prevent-out-of-bounds-array-access-on-terminator.patch

9ae3a8
From bf5a2fd38203f176501ad891da1e7ea19da1673a Mon Sep 17 00:00:00 2001
9ae3a8
From: Stefan Hajnoczi <stefanha@redhat.com>
9ae3a8
Date: Tue, 25 Mar 2014 14:23:41 +0100
9ae3a8
Subject: [PATCH 34/49] dmg: prevent out-of-bounds array access on terminator
9ae3a8
9ae3a8
RH-Author: Kevin Wolf <kwolf@redhat.com>
9ae3a8
Message-id: <1395753835-7591-35-git-send-email-kwolf@redhat.com>
9ae3a8
Patchwork-id: n/a
9ae3a8
O-Subject: [virt-devel] [EMBARGOED RHEL-7.0 qemu-kvm PATCH 34/48] dmg: prevent out-of-bounds array access on terminator
9ae3a8
Bugzilla: 1066691
9ae3a8
RH-Acked-by: Jeff Cody <jcody@redhat.com>
9ae3a8
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
9ae3a8
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
9ae3a8
9ae3a8
From: Stefan Hajnoczi <stefanha@redhat.com>
9ae3a8
9ae3a8
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1066691
9ae3a8
Upstream status: Series embargoed
9ae3a8
9ae3a8
When a terminator is reached the base for offsets and sectors is stored.
9ae3a8
The following records that are processed will use this base value.
9ae3a8
9ae3a8
If the first record we encounter is a terminator, then calculating the
9ae3a8
base values would result in out-of-bounds array accesses. Don't do
9ae3a8
that.
9ae3a8
9ae3a8
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
9ae3a8
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
9ae3a8
---
9ae3a8
 block/dmg.c |    2 +-
9ae3a8
 1 files changed, 1 insertions(+), 1 deletions(-)
9ae3a8
9ae3a8
diff --git a/block/dmg.c b/block/dmg.c
9ae3a8
index be2f26e..f4f3e8e 100644
9ae3a8
--- a/block/dmg.c
9ae3a8
+++ b/block/dmg.c
9ae3a8
@@ -182,7 +182,7 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags,
9ae3a8
                 offset += 4;
9ae3a8
                 if (s->types[i] != 0x80000005 && s->types[i] != 1 &&
9ae3a8
                     s->types[i] != 2) {
9ae3a8
-                    if (s->types[i] == 0xffffffff) {
9ae3a8
+                    if (s->types[i] == 0xffffffff && i > 0) {
9ae3a8
                         last_in_offset = s->offsets[i - 1] + s->lengths[i - 1];
9ae3a8
                         last_out_offset = s->sectors[i - 1] +
9ae3a8
                                           s->sectorcounts[i - 1];
9ae3a8
-- 
9ae3a8
1.7.1
9ae3a8