06a18202ab
VMDK:
When parsing a VMDK file to calculate its size, the format_inspector
determines the location of the Descriptor section by reading two
uint64 from the headers of the file and uses them to create the
descriptor CaptureRegion.
It would be possible to craft a VMDK file that commands the
format_inspector to create a very big CaptureRegion, thus exhausting
resources on the glance-api process.
This patch binds the beginning of the descriptor to 0x200 and limits
the size of the CaptureRegion to 1MB, similar to how the VMDK
descriptor is parsed by qemu.
VHDX:
It is a bit more involved, but similar: when looking for the
VIRTUAL_DISK_SIZE metadata, the format_inspector was creating an
unbounded CaptureRegion.
In the same way as it seems to be done in Qemu, we now limit the upper
bound of this CaptureRegion.
Closes-Bug: #2006490
Change-Id: I3ec5a33df20e1cfb6673f4ff1c7c91aacd065532
(cherry picked from commit
|
||
|---|---|---|
| api-ref/source | ||
| doc | ||
| etc | ||
| glance | ||
| httpd | ||
| playbooks | ||
| rally-jobs | ||
| releasenotes | ||
| tools | ||
| .coveragerc | ||
| .gitignore | ||
| .gitreview | ||
| .mailmap | ||
| .stestr.conf | ||
| .zuul.yaml | ||
| CONTRIBUTING.rst | ||
| HACKING.rst | ||
| LICENSE | ||
| README.rst | ||
| bindep.txt | ||
| requirements.txt | ||
| setup.cfg | ||
| setup.py | ||
| test-requirements.txt | ||
| tox.ini | ||
README.rst
OpenStack Glance
Glance is an OpenStack project that provides services and associated libraries to store, browse, share, distribute and manage bootable disk images, other data closely associated with initializing compute resources, and metadata definitions.
Use the following resources to learn more:
API
To learn how to use Glance's API, consult the documentation available online at:
Developers
For information on how to contribute to Glance, please see the contents of the CONTRIBUTING.rst in this repository.
Any new code must follow the development guidelines detailed in the HACKING.rst file, and pass all unit tests.
Further developer focused documentation is available at:
Operators
To learn how to deploy and configure OpenStack Glance, consult the documentation available online at:
In the unfortunate event that bugs are discovered, they should be reported to the appropriate bug tracker. You can raise bugs here:
Release notes
To learn more about Glance's new features, optimizations, and changes between versions, consult the release notes online at:
Other Information
During each design summit, we agree on what the whole community wants to focus on for the upcoming release. You can see image service plans:
For more information about the Glance project please see: