ShuriZma
/
xemu
mirror of https://github.com/xemu-project/xemu.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

block: fix off-by-one error in qcow and qcow2 

This fixes an off-by-one error introduced in 9a29e18.  Both qcow and
qcow2 need to make sure to leave room for string terminator '\0' for
the backing file, so the max length of the non-terminated string is
either 1023 or PATH_MAX - 1.

Reported-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
This commit is contained in:
Jeff Cody 2015-01-27 08:33:55 -05:00 committed by Kevin Wolf
parent 319fc53e34
commit e729fa6afe
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
block/qcow.c
View File

@ -215,7 +215,7 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
/* read the backing file name */ /* read the backing file name */
if (header.backing_file_offset != 0) { if (header.backing_file_offset != 0) {
len = header.backing_file_size; len = header.backing_file_size;
if (len > 1023 || len > sizeof(bs->backing_file)) { if (len > 1023 || len >= sizeof(bs->backing_file)) {
error_setg(errp, "Backing file name too long"); error_setg(errp, "Backing file name too long");
ret = -EINVAL; ret = -EINVAL;
goto fail; goto fail;

2
block/qcow2.c
View File

@ -869,7 +869,7 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
if (header.backing_file_offset != 0) { if (header.backing_file_offset != 0) {
len = header.backing_file_size; len = header.backing_file_size;
if (len > MIN(1023, s->cluster_size - header.backing_file_offset) || if (len > MIN(1023, s->cluster_size - header.backing_file_offset) ||
len > sizeof(bs->backing_file)) { len >= sizeof(bs->backing_file)) {
error_setg(errp, "Backing file name too long"); error_setg(errp, "Backing file name too long");
ret = -EINVAL; ret = -EINVAL;
goto fail; goto fail;