From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 26 Mar 2014 12:05:53 +0000 (+0100)
Subject: qcow2: Fix new L1 table size check (CVE-2014-0143)
X-Git-Tag: Tizen_Studio_1.3_Release_p2.3.1~386^2~42^2~40^2~17
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=cab60de930684c33f67d4e32c7509b567f8c445b;p=sdk%2Femulator%2Fqemu.git

qcow2: Fix new L1 table size check (CVE-2014-0143)

The size in bytes is assigned to an int later, so check that instead of
the number of entries.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 9499df9ef2..242e1f89b2 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -55,7 +55,7 @@ int qcow2_grow_l1_table(BlockDriverState *bs, uint64_t min_size,
         }
     }
 
-    if (new_l1_size > INT_MAX) {
+    if (new_l1_size > INT_MAX / sizeof(uint64_t)) {
         return -EFBIG;
     }