From 04f69ed0e0617a5c395cc04ebe74933cc4519778 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Tue, 25 Mar 2014 11:45:45 +0100
Subject: [PATCH 27/48] bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)

RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <1395744364-16049-27-git-send-email-kwolf@redhat.com>
Patchwork-id: n/a
O-Subject: [EMBARGOED RHEL-6.6/6.5.z qemu-kvm PATCH v2 26/45]
           bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
Bugzilla: 1079338
RH-Acked-by: Max Reitz <mreitz@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1079338
Upstream status: Embargoed

Gets us rid of integer overflows resulting in negative sizes which
aren't correctly checked.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

Conflicts:
	tests/qemu-iotests/078
	tests/qemu-iotests/078.out

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 block/bochs.c |   16 ++++++++--------
 1 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/block/bochs.c b/block/bochs.c
index 2a49e32..c6f2cd6 100644
--- a/block/bochs.c
+++ b/block/bochs.c
@@ -67,13 +67,13 @@ struct bochs_header {
 typedef struct BDRVBochsState {
     CoMutex lock;
     uint32_t *catalog_bitmap;
-    int catalog_size;
+    uint32_t catalog_size;
 
-    int data_offset;
+    uint32_t data_offset;
 
-    int bitmap_blocks;
-    int extent_blocks;
-    int extent_size;
+    uint32_t bitmap_blocks;
+    uint32_t extent_blocks;
+    uint32_t extent_size;
 } BDRVBochsState;
 
 static int bochs_probe(const uint8_t *buf, int buf_size, const char *filename)
@@ -96,7 +96,7 @@ static int bochs_probe(const uint8_t *buf, int buf_size, const char *filename)
 static int bochs_open(BlockDriverState *bs, int flags)
 {
     BDRVBochsState *s = bs->opaque;
-    int i;
+    uint32_t i;
     struct bochs_header bochs;
     int ret;
 
@@ -151,8 +151,8 @@ fail:
 static int64_t seek_to_sector(BlockDriverState *bs, int64_t sector_num)
 {
     BDRVBochsState *s = bs->opaque;
-    int64_t offset = sector_num * 512;
-    int64_t extent_index, extent_offset, bitmap_offset;
+    uint64_t offset = sector_num * 512;
+    uint64_t extent_index, extent_offset, bitmap_offset;
     char bitmap_entry;
 
     // seek to sector
-- 
1.7.1