vmdk: Fix overflow if l1_size is 0x20000000

Richard Jones caught this bug with afl fuzzer. In fact, that's the only possible value to overflow (extent->l1_size = 0x20000000) l1_size: l1_size = extent->l1_size * sizeof(long) => 0x80000000; g_try_malloc returns NULL because l1_size is interpreted as negative during type casting from 'int' to 'gsize', which yields a enormous value. Hence, by coincidence, we get a "not too bad" behavior: qemu-img: Could not open '/tmp/afl6.img': Could not open '/tmp/afl6.img': Cannot allocate memory Values larger than 0x20000000 will be refused by the validation in vmdk_add_extent. Values smaller than 0x20000000 will not overflow l1_size. Cc: qemu-stable@nongnu.org Reported-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Tested-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2025-02-02 02:04:25 +00:00 · 2015-05-05 17:28:13 +08:00 · 2015-05-05 17:28:13 +08:00 · 13c4941cdd
commit 13c4941cdd
parent 5e82a31eb9
1 changed files with 2 additions and 1 deletions
--- a/block/vmdk.c
+++ b/block/vmdk.c
@ -451,7 +451,8 @@ static int vmdk_init_tables(BlockDriverState *bs, VmdkExtent *extent,
                            Error **errp)
 {
    int ret;
-    int l1_size, i;
+    size_t l1_size;
+    int i;

    /* read the L1 table */
    l1_size = extent->l1_size * sizeof(uint32_t);