From 1ff009af1a06975603b8cd5d0381aca734e7f2f2 Mon Sep 17 00:00:00 2001
From: Theodore Ts'o <tytso@mit.edu>
Date: Sun, 24 Jun 2018 14:52:03 -0400
Subject: [PATCH] e2image, libext2fs: check for corrupted qcow2 image

If the qcow2 image is corrupted, qcow2_write_image() will now return
an indication of this to e2image (the only current user of
qcow2_write_image).

Also fix how e2image prints an error message it can't understand the
qcow2 image.

Addresses-Coverity-Bug: 1297511
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
 lib/ext2fs/qcow2.c | 10 ++++++++++
 lib/ext2fs/qcow2.h |  1 +
 misc/e2image.c     | 15 ++++++++++-----
 3 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/lib/ext2fs/qcow2.c b/lib/ext2fs/qcow2.c
index 4037f93..71a4792 100644
--- a/lib/ext2fs/qcow2.c
+++ b/lib/ext2fs/qcow2.c
@@ -166,6 +166,7 @@ int qcow2_write_raw_image(int qcow2_fd, int raw_fd,
 	blk64_t *l1_table, *l2_table = NULL;
 	void *copy_buf = NULL;
 	size_t size;
+	unsigned int max_l1_size;
 
 	if (hdr->crypt_method)
 		return -QCOW_ENCRYPTED;
@@ -175,12 +176,21 @@ int qcow2_write_raw_image(int qcow2_fd, int raw_fd,
 	img.l2_cache = NULL;
 	img.l1_table = NULL;
 	img.cluster_bits = ext2fs_be32_to_cpu(hdr->cluster_bits);
+	if (img.cluster_bits < 9 || img.cluster_bits > 31)
+		return -QCOW_CORRUPTED;
 	img.cluster_size = 1 << img.cluster_bits;
 	img.l1_size = ext2fs_be32_to_cpu(hdr->l1_size);
 	img.l1_offset = ext2fs_be64_to_cpu(hdr->l1_table_offset);
 	img.l2_size = 1 << (img.cluster_bits - 3);
 	img.image_size = ext2fs_be64_to_cpu(hdr->size);
 
+	if (img.l1_offset & (img.cluster_size - 1))
+		return -QCOW_CORRUPTED;
+
+	max_l1_size = (img.image_size >> ((2 * img.cluster_bits) - 3)) +
+		img.cluster_size;
+	if (img.l1_size > max_l1_size)
+		return -QCOW_CORRUPTED;
 
 	ret = ext2fs_get_memzero(img.cluster_size, &l2_table);
 	if (ret)
diff --git a/lib/ext2fs/qcow2.h b/lib/ext2fs/qcow2.h
index 81e0ec9..5576348 100644
--- a/lib/ext2fs/qcow2.h
+++ b/lib/ext2fs/qcow2.h
@@ -35,6 +35,7 @@
 
 #define QCOW_COMPRESSED		1
 #define QCOW_ENCRYPTED		2
+#define QCOW_CORRUPTED		3
 
 struct ext2_qcow2_hdr {
 	__u32	magic;
diff --git a/misc/e2image.c b/misc/e2image.c
index d52accf..d32b84a 100644
--- a/misc/e2image.c
+++ b/misc/e2image.c
@@ -1633,13 +1633,18 @@ skip_device:
 			if (ret == -QCOW_COMPRESSED)
 				fprintf(stderr, _("Image (%s) is compressed\n"),
 					image_fn);
-			if (ret == -QCOW_ENCRYPTED)
+			else if (ret == -QCOW_ENCRYPTED)
 				fprintf(stderr, _("Image (%s) is encrypted\n"),
 					image_fn);
-			com_err(program_name, ret,
-				_("while trying to convert qcow2 image"
-				  " (%s) into raw image (%s)"),
-				device_name, image_fn);
+			else if (ret == -QCOW_CORRUPTED)
+				fprintf(stderr, _("Image (%s) is corrupted\n"),
+					image_fn);
+			else
+				com_err(program_name, ret,
+					_("while trying to convert qcow2 image"
+					  " (%s) into raw image (%s)"),
+					image_fn, device_name);
+			ret = 1;
 		}
 		goto out;
 	}
-- 
1.8.3.1