From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 26 Mar 2014 13:05:34 +0100
Subject: bochs: Check extent_size header field (CVE-2014-0142)

This fixes two possible division by zero crashes: In bochs_open() and in
seek_to_sector().

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 8e53abbc20d08ae3ec30c2054e1161314ad9501d)

Conflicts:
	block/bochs.c
	tests/qemu-iotests/078
	tests/qemu-iotests/078.out

diff --git a/block/bochs.c b/block/bochs.c
index 30eb6e9..5c6e08e 100644
--- a/block/bochs.c
+++ b/block/bochs.c
@@ -157,6 +157,14 @@ static int bochs_open(BlockDriverState *bs, int flags)
     s->extent_blocks = 1 + (le32_to_cpu(bochs.extra.redolog.extent) - 1) / 512;
 
     s->extent_size = le32_to_cpu(bochs.extra.redolog.extent);
+    if (s->extent_size == 0) {
+        fprintf(stderr, "Extent size may not be zero\n");
+        goto fail;
+    } else if (s->extent_size > 0x800000) {
+        fprintf(stderr, "Extent size %" PRIu32 " is too large\n",
+                   s->extent_size);
+        goto fail;
+    }
 
     if (s->catalog_size < bs->total_sectors / s->extent_size) {
         fprintf(stderr, "Catalog size is too small for this disk size\n");
-- 
1.7.10.4