On 12/27/2014 10:01 AM, Peter Wu wrote:
Previously the chunk size was not checked, allowing for a large memory
allocation. This patch checks whether the chunks size is within the
resource fork length.

Signed-off-by: Peter Wu <pe...@lekensteyn.nl>
---
  block/dmg.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/dmg.c b/block/dmg.c
index 75e771a..19e4fe2 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -308,7 +308,7 @@ static int dmg_read_resource_fork(BlockDriverState *bs, 
DmgHeaderState *ds,
          ret = read_uint32(bs, offset, &count);
          if (ret < 0) {
              goto fail;
-        } else if (count == 0) {
+        } else if (count == 0 || count > info_end - offset) {
              ret = -EINVAL;
              goto fail;
          }


As mentioned already, please squash your latest changes in your git repository into this patch for v2.

Reply via email to