From 7e4c52f04096187d526277438a94697effdefe3d Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Tue, 25 Mar 2014 11:45:32 +0100
Subject: [PATCH 14/48] qcow2: Fix new L1 table size check (CVE-2014-0143)

RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <1395744364-16049-14-git-send-email-kwolf@redhat.com>
Patchwork-id: n/a
O-Subject: [EMBARGOED RHEL-6.6/6.5.z qemu-kvm PATCH v2 13/45]
           qcow2: Fix new L1 table size check (CVE-2014-0143)
Bugzilla: 1079319
RH-Acked-by: Max Reitz <mreitz@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Jeff Cody <jcody@redhat.com>

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079319
Upstream status: Embargoed

The size in bytes is assigned to an int later, so check that instead of
the number of entries.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 block/qcow2-cluster.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 601b678..1b0230c 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -46,7 +46,7 @@ int qcow2_grow_l1_table(BlockDriverState *bs, uint64_t min_size)
         new_l1_size = (new_l1_size * 3 + 1) / 2;
     }
 
-    if (new_l1_size > INT_MAX) {
+    if (new_l1_size > INT_MAX / sizeof(uint64_t)) {
         return -EFBIG;
     }
 
-- 
1.7.1