diff options
| -rw-r--r-- | block/dmg.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/block/dmg.c b/block/dmg.c index 4f56227fc5..5c2c2c231d 100644 --- a/block/dmg.c +++ b/block/dmg.c @@ -317,7 +317,7 @@ static int dmg_read_resource_fork(BlockDriverState *bs, DmgHeaderState *ds, ret = read_uint32(bs, offset, &count); if (ret < 0) { goto fail; - } else if (count == 0) { + } else if (count == 0 || count > info_end - offset) { ret = -EINVAL; goto fail; } @@ -377,6 +377,11 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags, if (ret < 0) { goto fail; } + if (rsrc_fork_offset >= offset || + rsrc_fork_length > offset - rsrc_fork_offset) { + ret = -EINVAL; + goto fail; + } if (rsrc_fork_length != 0) { ret = dmg_read_resource_fork(bs, &ds, rsrc_fork_offset, rsrc_fork_length); |