Commit f6e6652d authored by Peter Wu's avatar Peter Wu Committed by Kevin Wolf
Browse files

block/dmg: validate chunk size to avoid overflow 



Previously the chunk size was not checked, allowing for a large memory
allocation. This patch checks whether the chunks size is within the
resource fork length, and whether the resource fork is below the
trailer of the dmg file.

Signed-off-by: default avatarPeter Wu <peter@lekensteyn.nl>
Reviewed-by: default avatarJohn Snow <jsnow@redhat.com>
Message-id: 1420566495-13284-6-git-send-email-peter@lekensteyn.nl
Signed-off-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
parent 7aee37b9

block/dmg.c

+6 −1
Original line number Diff line number Diff line
@@ -317,7 +317,7 @@ static int dmg_read_resource_fork(BlockDriverState *bs, DmgHeaderState *ds, 
        ret = read_uint32(bs, offset, &count);

        if (ret < 0) {

            goto fail;

        } else if (count == 0) {

        } else if (count == 0 || count > info_end - offset) {

            ret = -EINVAL;

            goto fail;

        }
@@ -377,6 +377,11 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags, 
    if (ret < 0) {

        goto fail;

    }

    if (rsrc_fork_offset >= offset ||

        rsrc_fork_length > offset - rsrc_fork_offset) {

        ret = -EINVAL;

        goto fail;

    }

    if (rsrc_fork_length != 0) {

        ret = dmg_read_resource_fork(bs, &ds,

                                     rsrc_fork_offset, rsrc_fork_length);