openstack
/
openstack
Code Issues Proposed changes

Update git submodules 

* Update glance from branch 'master'
  to 3929db2c730f7d977e72c713bff02be725219b9c
  - Merge "Limit CaptureRegion sizes in format_inspector for VMDK and VHDX"
  - Limit CaptureRegion sizes in format_inspector for VMDK and VHDX
    
    VMDK:
    When parsing a VMDK file to calculate its size, the format_inspector
    determines the location of the Descriptor section by reading two
    uint64 from the headers of the file and uses them to create the
    descriptor CaptureRegion.
    
    It would be possible to craft a VMDK file that commands the
    format_inspector to create a very big CaptureRegion, thus exhausting
    resources on the glance-api process.
    
    This patch binds the beginning of the descriptor to 0x200 and limits
    the size of the CaptureRegion to 1MB, similar to how the VMDK
    descriptor is parsed by qemu.
    
    VHDX:
    It is a bit more involved, but similar: when looking for the
    VIRTUAL_DISK_SIZE metadata, the format_inspector was creating an
    unbounded CaptureRegion.
    
    In the same way as it seems to be done in Qemu, we now limit the upper
    bound of this CaptureRegion.
    
    Change-Id: I3ec5a33df20e1cfb6673f4ff1c7c91aacd065532
This commit is contained in:
Zuul 2023-02-06 10:59:36 +00:00 committed by Gerrit Code Review
parent 361a076c68
commit 0154c79ddf
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
glance

@ -1 +1 @@
Subproject commit e39ef4e43d18b7a46b23c1e94af34612b06c1a1e
Subproject commit 3929db2c730f7d977e72c713bff02be725219b9c