bochs: Fix catalog size check

The old check was off by a factor of 512 and didn't consider cases where
we don't get an exact division. This could lead to an out-of-bounds
array access in seek_to_sector().

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>

1 files changed, 11 insertions, 3 deletions

diff --git a/block/bochs.c b/block/bochs.c
index 50b84a9..eacf956 100644
--- a/block/bochs.c
+++ b/block/bochs.c
@@ -148,8 +148,14 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags,
     s->extent_blocks = 1 + (le32_to_cpu(bochs.extent) - 1) / 512;
 
     s->extent_size = le32_to_cpu(bochs.extent);
-    if (s->extent_size == 0) {
-        error_setg(errp, "Extent size may not be zero");
+    if (s->extent_size < BDRV_SECTOR_SIZE) {
+        /* bximage actually never creates extents smaller than 4k */
+        error_setg(errp, "Extent size must be at least 512");
+        ret = -EINVAL;
+        goto fail;
+    } else if (!is_power_of_2(s->extent_size)) {
+        error_setg(errp, "Extent size %" PRIu32 " is not a power of two",
+                   s->extent_size);
         ret = -EINVAL;
         goto fail;
     } else if (s->extent_size > 0x800000) {
@@ -159,7 +165,9 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags,
         goto fail;
     }
 
-    if (s->catalog_size < bs->total_sectors / s->extent_size) {
+    if (s->catalog_size < DIV_ROUND_UP(bs->total_sectors,
+                                       s->extent_size / BDRV_SECTOR_SIZE))
+    {
         error_setg(errp, "Catalog size is too small for this disk size");
         ret = -EINVAL;
         goto fail;