qcow2: Reject too large header extensions
authorKevin Wolf <kwolf@redhat.com>
Wed, 22 Feb 2012 11:37:13 +0000 (12:37 +0100)
committerKevin Wolf <kwolf@redhat.com>
Wed, 29 Feb 2012 11:48:47 +0000 (12:48 +0100)
Image files that make qemu-img info read several gigabytes into the
unknown header extensions list are bad. Just fail opening the image
if an extension claims to be larger than the header extension area.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
block/qcow2.c

index f68f0e10745decec330f71fbfdbbb5f79468ff8e..eb5ea485d97a71d5eccc03c594cf388a0e829dad 100644 (file)
@@ -108,6 +108,11 @@ static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset,
 #ifdef DEBUG_EXT
         printf("ext.magic = 0x%x\n", ext.magic);
 #endif
+        if (ext.len > end_offset - offset) {
+            error_report("Header extension too large");
+            return -EINVAL;
+        }
+
         switch (ext.magic) {
         case QCOW2_EXT_MAGIC_END:
             return 0;