block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
authorStefan Hajnoczi <stefanha@redhat.com>
Wed, 26 Mar 2014 12:05:27 +0000 (13:05 +0100)
committerStefan Hajnoczi <stefanha@redhat.com>
Tue, 1 Apr 2014 11:59:47 +0000 (13:59 +0200)
commit7b103b36d6ef3b11827c203d3a793bf7da50ecd6
tree8410b6bced1fbf51927ab319ccca226396376905
parent509a41bab5306181044b5fff02eadf96d9c8676a
block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)

Limit offsets_size to 512 MB so that:

1. g_malloc() does not abort due to an unreasonable size argument.

2. offsets_size does not overflow the bdrv_pread() int size argument.

This limit imposes a maximum image size of 16 TB at 256 KB block size.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
block/cloop.c
tests/qemu-iotests/075
tests/qemu-iotests/075.out