From b80713de2976985cb3d1a3ac47fc308a9427f119 Mon Sep 17 00:00:00 2001
From: Daniel P. Berrange <berrange@fedoraproject.org>
Date: Feb 23 2008 16:04:37 +0000
Subject: Fix block device extents check (rhbz #433560)


---

diff --git a/qemu-0.9.1-block-rw-range-check.patch b/qemu-0.9.1-block-rw-range-check.patch
new file mode 100644
index 0000000..a32af8c
--- /dev/null
+++ b/qemu-0.9.1-block-rw-range-check.patch
@@ -0,0 +1,108 @@
+diff --git a/block.c b/block.c
+index 0f8ad7b..d7f1114 100644
+--- a/block.c
++++ b/block.c
+@@ -123,6 +123,24 @@ void path_combine(char *dest, int dest_size,
+     }
+ }
+ 
++static int bdrv_rw_badreq_sectors(BlockDriverState *bs,
++				int64_t sector_num, int nb_sectors)
++{
++    return
++	nb_sectors < 0 ||
++	nb_sectors > bs->total_sectors ||
++	sector_num > bs->total_sectors - nb_sectors;
++}
++
++static int bdrv_rw_badreq_bytes(BlockDriverState *bs,
++				  int64_t offset, int count)
++{
++    int64_t size = bs->total_sectors << SECTOR_BITS;
++    return
++	count < 0 ||
++	count > size ||
++	offset > size - count;
++}
+ 
+ static void bdrv_register(BlockDriver *bdrv)
+ {
+@@ -375,6 +393,7 @@ int bdrv_open2(BlockDriverState *bs, const char *filename, int flags,
+     }
+     bs->drv = drv;
+     bs->opaque = qemu_mallocz(drv->instance_size);
++    bs->total_sectors = 0; /* driver will set if it does not do getlength */
+     if (bs->opaque == NULL && drv->instance_size > 0)
+         return -1;
+     /* Note: for compatibility, we open disk image files as RDWR, and
+@@ -440,6 +459,7 @@ void bdrv_close(BlockDriverState *bs)
+         bs->drv = NULL;
+ 
+         /* call the change callback */
++	bs->total_sectors = 0;
+         bs->media_changed = 1;
+         if (bs->change_cb)
+             bs->change_cb(bs->change_opaque);
+@@ -505,6 +525,8 @@ int bdrv_read(BlockDriverState *bs, int64_t sector_num,
+     if (!drv)
+         return -ENOMEDIUM;
+ 
++    if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++	return -EDOM;
+     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
+             memcpy(buf, bs->boot_sector_data, 512);
+         sector_num++;
+@@ -545,6 +567,8 @@ int bdrv_write(BlockDriverState *bs, int64_t sector_num,
+         return -ENOMEDIUM;
+     if (bs->read_only)
+         return -EACCES;
++    if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++	return -EDOM;
+     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
+         memcpy(bs->boot_sector_data, buf, 512);
+     }
+@@ -670,6 +694,8 @@ int bdrv_pread(BlockDriverState *bs, int64_t offset,
+         return -ENOMEDIUM;
+     if (!drv->bdrv_pread)
+         return bdrv_pread_em(bs, offset, buf1, count1);
++    if (bdrv_rw_badreq_bytes(bs, offset, count1))
++	return -EDOM;
+     return drv->bdrv_pread(bs, offset, buf1, count1);
+ }
+ 
+@@ -685,6 +711,8 @@ int bdrv_pwrite(BlockDriverState *bs, int64_t offset,
+         return -ENOMEDIUM;
+     if (!drv->bdrv_pwrite)
+         return bdrv_pwrite_em(bs, offset, buf1, count1);
++    if (bdrv_rw_badreq_bytes(bs, offset, count1))
++	return -EDOM;
+     return drv->bdrv_pwrite(bs, offset, buf1, count1);
+ }
+ 
+@@ -951,6 +979,8 @@ int bdrv_write_compressed(BlockDriverState *bs, int64_t sector_num,
+         return -ENOMEDIUM;
+     if (!drv->bdrv_write_compressed)
+         return -ENOTSUP;
++    if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++	return -EDOM;
+     return drv->bdrv_write_compressed(bs, sector_num, buf, nb_sectors);
+ }
+ 
+@@ -1097,6 +1127,8 @@ BlockDriverAIOCB *bdrv_aio_read(BlockDriverState *bs, int64_t sector_num,
+ 
+     if (!drv)
+         return NULL;
++    if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++	return NULL;
+ 
+     /* XXX: we assume that nb_sectors == 0 is suppored by the async read */
+     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
+@@ -1128,6 +1160,8 @@ BlockDriverAIOCB *bdrv_aio_write(BlockDriverState *bs, int64_t sector_num,
+         return NULL;
+     if (bs->read_only)
+         return NULL;
++    if (bdrv_rw_badreq_sectors(bs, sector_num, nb_sectors))
++	return NULL;
+     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
+         memcpy(bs->boot_sector_data, buf, 512);
+     }
diff --git a/qemu.spec b/qemu.spec
index b9e3755..e97806b 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -8,7 +8,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 0.9.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: Development/Tools
 URL: http://www.qemu.org/
@@ -17,6 +17,7 @@ Source1: qemu.init
 Patch0: qemu-0.7.0-build.patch
 # Change default NIC to rtl8139 to get link-state detection
 Patch3: qemu-0.9.1-nic-defaults.patch
+Patch4: qemu-%{version}-block-rw-range-check.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: SDL-devel compat-gcc-%{gccver} zlib-devel which texi2html gnutls-devel
 Requires(post): /sbin/chkconfig
@@ -41,6 +42,7 @@ As QEMU requires no host kernel patches to run, it is safe and easy to use.
 %setup -q
 %patch0 -p1
 %patch3 -p1
+%patch4 -p1
 
 %build
 ./configure \
@@ -92,6 +94,9 @@ fi
 %{_mandir}/man1/*
 
 %changelog
+* Sat Feb 23 2008 Daniel Berrange <berrange@t60wlan.home.berrange.com> - 0.9.1-3.fc9
+- Fix block device extents check (rhbz #433560)
+
 * Mon Feb 18 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 0.9.1-2
 - Autorebuild for GCC 4.3