The number is parsed manually without making sure it'll fit. Fixes: 3bbac7cdb67 Closes: https://gitlab.com/libvirt/libvirt/-/issues/671 Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx> --- src/util/virconf.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/util/virconf.c b/src/util/virconf.c index 8fdf40e9d0..da07af178d 100644 --- a/src/util/virconf.c +++ b/src/util/virconf.c @@ -347,6 +347,12 @@ virConfParseLong(virConfParserCtxt *ctxt, long long *val) return -1; } while ((ctxt->cur < ctxt->end) && (g_ascii_isdigit(CUR))) { + if (l > LLONG_MAX / 10) { + virConfError(ctxt, VIR_ERR_OVERFLOW, + _("numeric overflow in conf value")); + return -1; + } + l = l * 10 + (CUR - '0'); NEXT; } -- 2.46.0
