qcow2: Fix new L1 table size check (CVE-2014-0143)

The size in bytes is assigned to an int later, so check that instead of the number of entries. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit cab60de) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
qemu · Jul 3, 2014 · 3c6347c · 3c6347c
1 parent e1c8770
commit 3c6347c
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
@@ -55,7 +55,7 @@ int qcow2_grow_l1_table(BlockDriverState *bs, uint64_t min_size,
         }
     }
 
-    if (new_l1_size > INT_MAX) {
+    if (new_l1_size > INT_MAX / sizeof(uint64_t)) {
         return -EFBIG;
     }