On Wed, Feb 06, 2013 at 01:31:48PM +0100, Benoît Canet wrote:
> @@ -148,6 +158,19 @@ static int qcow2_read_extensions(BlockDriverState *bs,
> uint64_t start_offset,
> }
> break;
>
> + case QCOW2_EXT_MAGIC_DEDUP_TABLE:
> + ret = bdrv_pread(bs->file, offset,
> + &dedup_table_extension, ext.len);
Buffer overflow if ext.len > sizeof(dedup_table_extension). Please
check ext.len before using it.
> + if (ret < 0) {
> + return ret;
> + }
> + s->dedup_table_offset =
> + be64_to_cpu(dedup_table_extension.offset);
> + s->dedup_table_size =
> + be32_to_cpu(dedup_table_extension.size);
> + s->dedup_hash_algo = dedup_table_extension.hash_algo;
Input validation for these fields (especially table size)?
