The conversion to index entails multiplication and accumulation by user provided data which can easily overflow use VIR_MULTIPLY_ADD_IS_OVERFLOW to check if the string is valid. Closes: https://gitlab.com/libvirt/libvirt/-/issues/674 Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx> --- src/util/virutil.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/util/virutil.c b/src/util/virutil.c index dc5009f11d..6c89a48e51 100644 --- a/src/util/virutil.c +++ b/src/util/virutil.c @@ -338,11 +338,17 @@ int virDiskNameParse(const char *name, int *disk, int *partition) return -1; for (i = 0; *ptr; i++) { + int c = *ptr - 'a'; + if (!g_ascii_islower(*ptr)) break; - idx = (idx + (i < 1 ? 0 : 1)) * 26; - idx += *ptr - 'a'; + idx = (idx + (i < 1 ? 0 : 1)); + + if (VIR_MULTIPLY_ADD_IS_OVERFLOW(INT_MAX, idx, 26, c)) + return -1; + + idx = idx * 26 + c; ptr++; } -- 2.46.0
