From: Anastasia Belova <abelova@astralinux.ru>

desc length should be always less than VIR_STORAGE_MAX_HEADER.
If len = VIR_STORAGE_MAX_HEADER, desc may be out of bounds.

Fixes: 296032bfb2 ("util: extract storage file probe code into virtstoragefileprobe.c")
Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
---
 src/storage_file/storage_file_probe.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/storage_file/storage_file_probe.c b/src/storage_file/storage_file_probe.c
index 9465af5d96..0dcc9c2c54 100644
--- a/src/storage_file/storage_file_probe.c
+++ b/src/storage_file/storage_file_probe.c
@@ -586,8 +586,8 @@ vmdk4GetBackingStore(char **res,
         return BACKING_STORE_INVALID;
 
     len = buf_size - 0x200;
-    if (len > VIR_STORAGE_MAX_HEADER)
-        len = VIR_STORAGE_MAX_HEADER;
+    if (len >= VIR_STORAGE_MAX_HEADER)
+        len = VIR_STORAGE_MAX_HEADER - 1;
     memcpy(desc, buf + 0x200, len);
     desc[len] = '\0';
     start = strstr(desc, prefix);
-- 
2.30.2

On a Wednesday in 2023, Анастасия Белова wrote:
>From: Anastasia Belova <abelova@astralinux.ru>
>
>desc length should be always less than VIR_STORAGE_MAX_HEADER.
>If len = VIR_STORAGE_MAX_HEADER, desc may be out of bounds.
>
>Fixes: 296032bfb2 ("util: extract storage file probe code into virtstoragefileprobe.c")

That commit only moved the code.
The off-by-one error was introduced by:
commit 348b4e254bea98c83107887c0cf64c6572063d64
     storage: always probe type with buffer

>Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
>---
> src/storage_file/storage_file_probe.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>

Reviewed-by: Ján Tomko <jtomko@redhat.com>

Jano