aboutsummaryrefslogtreecommitdiff
path: root/tests
AgeCommit message (Collapse)Author
2014-05-08qapi: [trivial] Break long command linesLluís Vilanova
Signed-off-by: Lluís Vilanova <vilanova@ac.upc.edu> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2014-05-07tests/tcg: Fix compilation of test_pathPeter Maydell
The test_path binary is (unlike the other test binaries in tests/tcg) actually intended to be compiled with the same compiler used to build the main QEMU executables. It actually #includes a number of the QEMU source files in an attempt to unit-test the util/path.c functions, and so if it is not compiled with the same compiler used by configure to set CONFIG_ settings then it is liable to fail to build. Fix the makefile to build it with the default C compiler rules, not CC_I386, and fix the test itself not to include a lot of unnecessary trace related source files which cause the build to fail if the trace backend is anything other than 'simple'. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-05-05tests: Add EHCI qtestAndreas Färber
Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05tests: Add ioh3420 qtestAndreas Färber
Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05tests: Add intel-hda qtestsAndreas Färber
Test both the ich6 and the ich9 version (cf. q35 config) and all the codecs. Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05tests: Add es1370 qtestAndreas Färber
Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05tests: Add ac97 qtestAndreas Färber
Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05qtest: Be paranoid about accept() addrlen argumentAndreas Färber
POSIX specifies that address_len shall on output specify the length of the stored address; it does not however specify whether it may get updated on failure as well to, e.g., zero. In case EINTR occurs, re-initialize the variable to the desired value. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05qtest: Add error reporting to socket_accept()Andreas Färber
We're not using the GLib infrastructure here, to allow cleaning up the sockets. Still, knowing why a certain test run failed can be valuable. Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05qtest: Assure that init_socket()'s listen() does not failAndreas Färber
In practice this seems very unlikely, so cleanup is neglected, as done for bind(). Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-02Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into stagingPeter Maydell
Block patches # gpg: Signature made Wed 30 Apr 2014 19:19:32 BST using RSA key ID C88F2FD6 # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" * remotes/kevin/tags/for-upstream: (31 commits) curl: Fix hang reading from slow connections curl: Ensure all informationals are checked for completion curl: Eliminate unnecessary use of curl_multi_socket_all curl: Remove unnecessary explicit calls to internal event handler curl: Remove erroneous sleep waiting for curl completion curl: Fix return from curl_read_cb with invalid state curl: Remove unnecessary use of goto curl: Fix long line block/vdi: Error out immediately in vdi_create() block/bochs: Fix error handling for seek_to_sector() qcow2: Check min_size in qcow2_grow_l1_table() qcow2: Catch bdrv_getlength() error block: Use correct width in format strings qcow2: Avoid overflow in alloc_clusters_noref() block: Use error_abort in bdrv_image_info_specific_dump() block: Fix open_flags in bdrv_reopen() Revert "block: another bdrv_append fix" block: Unlink temporary files in raw-posix/win32 block: Remove BDRV_O_COPY_ON_READ for bs->file block: Create bdrv_backing_flags() ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-01Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-2' into stagingPeter Maydell
vga: add secondary stdvga variant # gpg: Signature made Mon 28 Apr 2014 10:11:44 BST using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-vga-2: add secondary-vga to display-vga test add display-vga test vga: add secondary stdvga variant vga: allow non-global vmstate Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-29iotests: Discarding compressed clusters on qcow2Max Reitz
Add a test which discards a compressed cluster on qcow2. This should work without any problems. Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-29block: qemu-iotests: make test 019 and 086 work with spaced pathnamesJeff Cody
Both tests 019 and 086 need proper quotations to work with pathnames that contain spaces. Reviewed-by: Benoit Canet <benoit@irqsave.net> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Jeff Cody <jcody@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-29block: qemu-iotests - fix image cleanup when using spaced pathnamesJeff Cody
The _rm_test_img() function in common.rc did not quote the image file, which left droppings in the scratch directory (and performed a potentially unsafe rm -f). This adds the necessary quotes. Reviewed-by: Benoit Canet <benoit@irqsave.net> Signed-off-by: Jeff Cody <jcody@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-28Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-2014-04-28' ↵Peter Maydell
into staging trivial patches for 2014-04-28 # gpg: Signature made Mon 28 Apr 2014 05:56:01 BST using RSA key ID A4C3D7DB # gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>" # gpg: aka "Michael Tokarev <mjt@corpit.ru>" # gpg: aka "Michael Tokarev <mjt@debian.org>" # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5 # Subkey fingerprint: 6F67 E18E 7C91 C5B1 5514 66A7 BEE5 9D74 A4C3 D7DB * remotes/mjt/tags/trivial-patches-2014-04-28: slirp/smb: Move ncalrpc directory to tmp po: add proper Language: tags to .po files po/Makefile: fix $SRC_PATH reference init_paths: fix minor memory leak virtfs-proxy-helper: fix call to accept net/net.c: remove unnecessary semicolon Add QEMU logo (SVG file) vl: avoid closing stdout with 'writeconfig' xilinx: Fix typo in comment (Marvel -> Marvell) vl: Eliminate a superfluous local variable vl: Remove useless 'continue' gitignore: cleanups #2 tests/.gitignore: Ignore test-rfifolock move test-* from .gitignore to tests/.gitignore configure: Improve help behavior vl: convert -m to QemuOpts qemu-option: introduce qemu_find_opts_singleton misc: Use cpu_physical_memory_read and cpu_physical_memory_write Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-28add secondary-vga to display-vga testGerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-04-28add display-vga testGerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-04-27tests/.gitignore: Ignore test-rfifolockCole Robinson
Signed-off-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-04-27move test-* from .gitignore to tests/.gitignoreLaszlo Ersek
Also sort the test-* entries in the latter. Signed-off-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-04-25Use error_is_set() only when necessary (again)Markus Armbruster
error_is_set(&var) is the same as var != NULL, but it takes whole-program analysis to figure that out. Unnecessarily hard for optimizers, static checkers, and human readers. Commit 84d18f0 dumbed it down to obvious, but a few more have crept in since, and documentation was overlooked. Dumb these down, too. Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-25qemu-iotests: Improve and make use of QMPTestCase.wait_until_completed()Fam Zheng
This eliminates code duplication. Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-22qemu-iotests: Check common namespace for id and node-nameKevin Wolf
A name that is taken by an ID can't be taken by a node-name at the same time. Check that conflicts are correctly detected. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com>
2014-04-22block: Catch duplicate IDs in bdrv_new()Kevin Wolf
Since commit f298d071, block devices added with blockdev-add don't have a QemuOpts around in dinfo->opts. Consequently, we can't rely any more on QemuOpts catching duplicate IDs for block devices. This patch adds a new check for duplicate IDs to bdrv_new(), and moves the existing check that the ID isn't already taken for a node-name there as well. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2014-04-22block: Catch integer overflow in bdrv_rw_co()Kevin Wolf
Insanely large requests could cause an integer overflow in bdrv_rw_co() while converting sectors to bytes. This patch catches the problem and returns an error (if we hadn't overflown the integer here, bdrv_check_byte_request() would have rejected the request, so we're not breaking anything that was supposed to work before). We actually do have a test case that triggers behaviour where we accidentally let such a request pass, so that it would return success, but read 0 bytes instead of the requested 4 GB. It fails now like it should. If the vdi block driver wants to be able to deal with huge images, it can't read the whole block bitmap at once into memory like it does today, but needs to use a metadata cache like qcow2 does. Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-14acpi-test: update expected filesMichael S. Tsirkin
commit 58b035c7354afc0c5351ea62264c01d74196ec26 acpi: fix incorrect encoding for 0x{F-1}FFFF changes the SSDT, update expected files accordingly. Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-04-11bochs: Fix catalog size checkKevin Wolf
The old check was off by a factor of 512 and didn't consider cases where we don't get an exact division. This could lead to an out-of-bounds array access in seek_to_sector(). Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2014-04-09tests/acpi: update expected DSDT filesMichael S. Tsirkin
commit f2ccc311df55ec026a8f8ea9df998f26314f22b2 dsdt: tweak ACPI ID for hotplug resource device changes the DSDT, update test expected files to match Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reported-by: Igor Mammedov <imammedo@redhat.com>
2014-04-07tests: Update check-clean ruleAndreas Färber
Only i386, x86_64, sparc and sparc64 qtests were cleaned up. Make this more generic to not miss any newly tested targets. Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru> Suggested-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-04-04block: Fix snapshot=on for protocol parsed from filenameKevin Wolf
Since commit 9fd3171a, BDRV_O_SNAPSHOT uses an option QDict to specify the originally requested image as the backing file of the newly created temporary snapshot. This means that the filename is stored in "file.filename", which is an option that is not parsed for protocol names. Therefore things like -drive file=nbd:localhost:10809 were broken because it looked for a local file with the literal name 'nbd:localhost:10809'. This patch changes the way BDRV_O_SNAPSHOT works once again. We now open the originally requested image as normal, and then do a similar operation as for live snapshots to put the temporary snapshot on top. This way, both driver specific options and parsed filenames work. As a nice side effect, this results in code movement to factor bdrv_append_temp_snapshot() out. This is a good preparation for moving its call to drive_init() and friends eventually. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
2014-04-04qemu-iotests: Remove CR line endings in reference outputKevin Wolf
qemu doesn't print these CRs any more. The test still didn't fail because the output comparison ignores line endings, but the change turns up each time when you want to update the output. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
2014-04-04block: Don't parse 'filename' optionKevin Wolf
When using the QDict option 'filename', it is supposed to be interpreted literally. The code did correctly avoid guessing the protocol from any string before the first colon, but it still called bdrv_parse_filename() which would, for example, incorrectly remove a 'file:' prefix in the raw-posix driver. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
2014-04-04qcow2: Flush metadata during read-only reopenKevin Wolf
If lazy refcounts are enabled for a backing file, committing to this backing file may leave it in a dirty state even if the commit succeeds. The reason is that the bdrv_flush() call in bdrv_commit() doesn't flush refcount updates with lazy refcounts enabled, and qcow2_reopen_prepare() doesn't take care to flush metadata. In order to fix this, this patch also fixes qcow2_mark_clean(), which contains another ineffective bdrv_flush() call beause lazy refcounts are disabled only afterwards. All existing callers of qcow2_mark_clean() either don't modify refcounts or already flush manually, so that this fixes only a latent, but not yet actually triggerable bug. Another instance of the same problem is live snapshots. Again, a real corruption is prevented by an explicit flush for non-read-only images in external_snapshot_prepare(), but images using lazy refcounts stay dirty. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into ↵Peter Maydell
staging Block pull request # gpg: Signature made Tue 01 Apr 2014 18:11:16 BST using RSA key ID 81AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" * remotes/stefanha/tags/block-pull-request: (51 commits) qcow2: link all L2 meta updates in preallocate() parallels: Sanity check for s->tracks (CVE-2014-0142) parallels: Fix catalog size integer overflow (CVE-2014-0143) qcow2: Limit snapshot table size qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143) qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145) qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146) qcow2: Fix copy_sectors() with VM state block: Limit request size (CVE-2014-0143) block: vdi bounds check qemu-io tests dmg: prevent chunk buffer overflow (CVE-2014-0145) dmg: use uint64_t consistently for sectors and lengths dmg: sanitize chunk length and sectorcount (CVE-2014-0145) dmg: use appropriate types when reading chunks dmg: drop broken bdrv_pread() loop dmg: prevent out-of-bounds array access on terminator dmg: coding style and indentation cleanup qcow2: Fix new L1 table size check (CVE-2014-0143) qcow2: Protect against some integer overflows in bdrv_check qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-01parallels: Sanity check for s->tracks (CVE-2014-0142)Kevin Wolf
This avoids a possible division by zero. Convert s->tracks to unsigned as well because it feels better than surviving just because the results of calculations with s->tracks are converted to unsigned anyway. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01parallels: Fix catalog size integer overflow (CVE-2014-0143)Kevin Wolf
The first test case would cause a huge memory allocation, leading to a qemu abort; the second one to a too small malloc() for the catalog (smaller than s->catalog_size), which causes a read-only out-of-bounds array access and on big endian hosts an endianess conversion for an undefined memory area. The sample image used here is not an original Parallels image. It was created using an hexeditor on the basis of the struct that qemu uses. Good enough for trying to crash the driver, but not for ensuring compatibility. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)Kevin Wolf
This avoids an unbounded allocation. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)Kevin Wolf
For the L1 table to loaded for an internal snapshot, the code allocated only enough memory to hold the currently active L1 table. If the snapshot's L1 table is actually larger than the current one, this leads to a buffer overflow. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)Kevin Wolf
The qcow2 code assumes that s->snapshots is non-NULL if s->nb_snapshots != 0. By having the initialisation of both fields separated in qcow2_open(), any error occuring in between would cause the error path to dereference NULL in qcow2_free_snapshots() if the image had any snapshots. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Fix copy_sectors() with VM stateKevin Wolf
bs->total_sectors is not the highest possible sector number that could be involved in a copy on write operation: VM state is after the end of the virtual disk. This resulted in wrong values for the number of sectors to be copied (n). The code that checks for the end of the image isn't required any more because the code hasn't been calling the block layer's bdrv_read() for a long time; instead, it directly calls qcow2_readv(), which doesn't error out on VM state sector numbers. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01block: vdi bounds check qemu-io testsJeff Cody
This test checks for proper bounds checking of some VDI input headers. The following is checked: 1. Max image size (1024TB) with the appropriate Blocks In Image value (0x3fffffff) is detected as valid. 2. Image size exceeding max (1024TB) is seen as invalid 3. Valid image size but with Blocks In Image value that is too small fails 4. Blocks In Image size exceeding max (0x3fffffff) is seen as invalid 5. 64MB image, with 64 Blocks In Image, and 1MB Block Size is seen as valid 6. Block Size < 1MB not supported 7. Block Size > 1MB not supported [Max Reitz <mreitz@redhat.com> pointed out that "1MB + 1" in the test case is wrong. Change to "1MB + 64KB" to match the 0x110000 value. --Stefan] Signed-off-by: Jeff Cody <jcody@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Don't rely on free_cluster_index in alloc_refcount_block() ↵Kevin Wolf
(CVE-2014-0147) free_cluster_index is only correct if update_refcount() was called from an allocation function, and even there it's brittle because it's used to protect unfinished allocations which still have a refcount of 0 - if it moves in the wrong place, the unfinished allocation can be corrupted. So not using it any more seems to be a good idea. Instead, use the first requested cluster to do the calculations. Return -EAGAIN if unfinished allocations could become invalid and let the caller restart its search for some free clusters. The context of creating a snapsnot is one situation where update_refcount() is called outside of a cluster allocation. For this case, the change fixes a buffer overflow if a cluster is referenced in an L2 table that cannot be represented by an existing refcount block. (new_table[refcount_table_index] was out of bounds) [Bump the qemu-iotests 026 refblock_alloc.write leak count from 10 to 11. --Stefan] Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Fix backing file name length checkKevin Wolf
len could become negative and would pass the check then. Nothing bad happened because bdrv_pread() happens to return an error for negative length values, but make variables for sizes unsigned anyway. This patch also changes the behaviour to error out on invalid lengths instead of silently truncating it to 1023. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Validate active L1 table offset and size (CVE-2014-0144)Kevin Wolf
This avoids an unbounded allocation. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Validate snapshot table offset/size (CVE-2014-0144)Kevin Wolf
This avoid unbounded memory allocation and fixes a potential buffer overflow on 32 bit hosts. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Validate refcount table offsetKevin Wolf
The end of the refcount table must not exceed INT64_MAX so that integer overflows are avoided. Also check for misaligned refcount table. Such images are invalid and probably the result of data corruption. Error out to avoid further corruption. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Check refcount table size (CVE-2014-0144)Kevin Wolf
Limit the in-memory reference count table size to 8 MB, it's enough in practice. This fixes an unbounded allocation as well as a buffer overflow in qcow2_refcount_init(). Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Check backing_file_offset (CVE-2014-0144)Kevin Wolf
Header, header extension and the backing file name must all be stored in the first cluster. Setting the backing file to a much higher value allowed header extensions to become much bigger than we want them to be (unbounded allocation). Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01qcow2: Check header_length (CVE-2014-0144)Kevin Wolf
This fixes an unbounded allocation for s->unknown_header_fields. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-01vpc: Validate block size (CVE-2014-0142)Kevin Wolf
This fixes some cases of division by zero crashes. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>