From 246f65838d19db6db55bfb41117c35645a2c4789 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 26 Mar 2014 13:05:32 +0100
Subject: bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)

Gets us rid of integer overflows resulting in negative sizes which
aren't correctly checked.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 tests/qemu-iotests/078 | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'tests/qemu-iotests/078')

diff --git a/tests/qemu-iotests/078 b/tests/qemu-iotests/078
index f55f46d92b..73b573a624 100755
--- a/tests/qemu-iotests/078
+++ b/tests/qemu-iotests/078
@@ -42,11 +42,19 @@ _supported_fmt bochs
 _supported_proto generic
 _supported_os Linux
 
+catalog_size_offset=$((0x48))
+
 echo
 echo "== Read from a valid image =="
 _use_sample_img empty.bochs.bz2
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== Negative catalog size =="
+_use_sample_img empty.bochs.bz2
+poke_file "$TEST_IMG" "$catalog_size_offset" "\xff\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
-- 
cgit v1.2.3