From b63773c517cce60c4f1bee939d98d9fe75575450 Mon Sep 17 00:00:00 2001
From: Daniel P. Berrange <berrange@fedoraproject.org>
Date: Feb 23 2008 16:04:41 +0000
Subject: Fix block device extents check (rhbz #433560)


---

diff --git a/qemu-0.9.0-block-rw-range-check.patch b/qemu-0.9.0-block-rw-range-check.patch
new file mode 100644
index 0000000..29af361
--- /dev/null
+++ b/qemu-0.9.0-block-rw-range-check.patch
@@ -0,0 +1,107 @@
+diff -rup qemu-0.9.0.orig/block.c qemu-0.9.0.new/block.c
+--- qemu-0.9.0.orig/block.c	2007-02-05 18:01:54.000000000 -0500
++++ qemu-0.9.0.new/block.c	2008-02-23 10:35:58.000000000 -0500
+@@ -120,6 +120,24 @@ void path_combine(char *dest, int dest_s
+     }
+ }
+ 
++static int bdrv_rw_badreq_sectors(BlockDriverState *bs,
++				int64_t sector_num, int nb_sectors)
++{
++    return
++	nb_sectors < 0 ||
++	nb_sectors > bs->total_sectors ||
++	sector_num > bs->total_sectors - nb_sectors;
++}
++
++static int bdrv_rw_badreq_bytes(BlockDriverState *bs,
++				  int64_t offset, int count)
++{
++    int64_t size = bs->total_sectors << SECTOR_BITS;
++    return
++	count < 0 ||
++	count > size ||
++	offset > size - count;
++}
+ 
+ void bdrv_register(BlockDriver *bdrv)
+ {
+@@ -372,6 +390,7 @@ int bdrv_open2(BlockDriverState *bs, con
+     }
+     bs->drv = drv;
+     bs->opaque = qemu_mallocz(drv->instance_size);
++    bs->total_sectors = 0; /* driver will set if it does not do getlength */
+     if (bs->opaque == NULL && drv->instance_size > 0)
+         return -1;
+     /* Note: for compatibility, we open disk image files as RDWR, and
+@@ -437,6 +456,7 @@ void bdrv_close(BlockDriverState *bs)
+         bs->drv = NULL;
+ 
+         /* call the change callback */
++	bs->total_sectors = 0;
+         bs->media_changed = 1;
+         if (bs->change_cb)
+             bs->change_cb(bs->change_opaque);
+@@ -502,6 +522,8 @@ int bdrv_read(BlockDriverState *bs, int6
+     if (!drv)
+         return -ENOMEDIUM;
+ 
++    if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++	return -EDOM;
+     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
+             memcpy(buf, bs->boot_sector_data, 512);
+         sector_num++;
+@@ -539,6 +561,8 @@ int bdrv_write(BlockDriverState *bs, int
+         return -ENOMEDIUM;
+     if (bs->read_only)
+         return -EACCES;
++    if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++	return -EDOM;
+     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
+         memcpy(bs->boot_sector_data, buf, 512);   
+     }
+@@ -661,6 +685,8 @@ int bdrv_pread(BlockDriverState *bs, int
+         return -ENOMEDIUM;
+     if (!drv->bdrv_pread)
+         return bdrv_pread_em(bs, offset, buf1, count1);
++    if (bdrv_rw_badreq_bytes(bs, offset, count1))
++	return -EDOM;
+     return drv->bdrv_pread(bs, offset, buf1, count1);
+ }
+ 
+@@ -676,6 +702,8 @@ int bdrv_pwrite(BlockDriverState *bs, in
+         return -ENOMEDIUM;
+     if (!drv->bdrv_pwrite)
+         return bdrv_pwrite_em(bs, offset, buf1, count1);
++    if (bdrv_rw_badreq_bytes(bs, offset, count1))
++	return -EDOM;
+     return drv->bdrv_pwrite(bs, offset, buf1, count1);
+ }
+ 
+@@ -917,6 +945,8 @@ int bdrv_write_compressed(BlockDriverSta
+         return -ENOMEDIUM;
+     if (!drv->bdrv_write_compressed)
+         return -ENOTSUP;
++    if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++	return -EDOM;
+     return drv->bdrv_write_compressed(bs, sector_num, buf, nb_sectors);
+ }
+     
+@@ -1062,6 +1092,8 @@ BlockDriverAIOCB *bdrv_aio_read(BlockDri
+ 
+     if (!drv)
+         return NULL;
++    if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++        return NULL;
+     
+     /* XXX: we assume that nb_sectors == 0 is suppored by the async read */
+     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
+@@ -1084,6 +1116,8 @@ BlockDriverAIOCB *bdrv_aio_write(BlockDr
+         return NULL;
+     if (bs->read_only)
+         return NULL;
++    if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++	return NULL;
+     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
+         memcpy(bs->boot_sector_data, buf, 512);   
+     }
diff --git a/qemu.spec b/qemu.spec
index 56120f4..2d84588 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -8,7 +8,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 0.9.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+, LGPLv2+
 Group: Development/Tools
 URL: http://www.qemu.org/
@@ -23,6 +23,7 @@ Patch5: qemu-0.9.0-rtl8139-mmio-regions.patch
 Patch6: qemu-0.9.0-atapi-hsm.patch
 # Fix RTL8139 checksum calculations for Vista
 Patch7: qemu-0.9.0-rtl8139-checksum.patch
+Patch8: qemu-%{version}-block-rw-range-check.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: SDL-devel compat-gcc-%{gccver} zlib-devel which texi2html
 Requires(post): /sbin/chkconfig
@@ -51,6 +52,7 @@ As QEMU requires no host kernel patches to run, it is safe and easy to use.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p0
+%patch8 -p1
 
 %build
 ./configure \
@@ -101,6 +103,9 @@ fi
 %{_mandir}/man1/*
 
 %changelog
+* Sat Feb 23 2008 Daniel P. Berrange <berrange@redhat.com> - 0.9.0-4.fc7
+- Fix block device extents check (rhbz #433560)
+
 * Wed Sep 26 2007 Daniel P. Berrange <berrange@redhat.com> - 0.9.0-3.fc7
 - Update licence
 - Fix CDROM emulation (rhbz #253542)