$OpenBSD: patch-block_vmdk_c,v 1.1 2015/09/16 09:18:13 ajacoutot Exp $

vmdk: Fix overflow if l1_size is 0x20000000

Richard Jones caught this bug with afl fuzzer.

In fact, that's the only possible value to overflow (extent->l1_size =
0x20000000) l1_size:

l1_size = extent->l1_size * sizeof(long) => 0x80000000;

g_try_malloc returns NULL because l1_size is interpreted as negative
during type casting from 'int' to 'gsize', which yields a enormous
value. Hence, by coincidence, we get a "not too bad" behavior:

qemu-img: Could not open '/tmp/afl6.img': Could not open
'/tmp/afl6.img': Cannot allocate memory

Values larger than 0x20000000 will be refused by the validation in
vmdk_add_extent.

Values smaller than 0x20000000 will not overflow l1_size.

--- block/vmdk.c.orig	Wed Sep 16 03:46:16 2015
+++ block/vmdk.c	Wed Sep 16 03:46:53 2015
@@ -450,7 +450,8 @@ static int vmdk_init_tables(BlockDriverState *bs, Vmdk
                             Error **errp)
 {
     int ret;
-    int l1_size, i;
+    size_t l1_size;
+    int i;
 
     /* read the L1 table */
     l1_size = extent->l1_size * sizeof(uint32_t);
