[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 2/4] qcow2-refcount: Sanitize refcount table size
From: |
Max Reitz |
Subject: |
[Qemu-devel] [PATCH 2/4] qcow2-refcount: Sanitize refcount table size |
Date: |
Sun, 17 Nov 2013 15:18:42 +0100 |
Make sure the refcount table size will not overflow when multiplied by
sizeof(uint64_t) and implicitly casted to int.
Signed-off-by: Max Reitz <address@hidden>
---
block/qcow2-refcount.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 1ff43d0..2912097 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -42,6 +42,10 @@ int qcow2_refcount_init(BlockDriverState *bs)
BDRVQcowState *s = bs->opaque;
int ret, refcount_table_size2, i;
+ if (s->refcount_table_size >= INT_MAX / sizeof(uint64_t)) {
+ goto fail;
+ }
+
refcount_table_size2 = s->refcount_table_size * sizeof(uint64_t);
s->refcount_table = g_malloc(refcount_table_size2);
if (s->refcount_table_size > 0) {
--
1.8.4.2