On 05/11/13 10:16, Richard Jones wrote: > Still happening in upstream qemu from git: > > Program terminated with signal 11, Segmentation fault. > #0 0x00007f4f86c721a0 in get_cluster_table (bs=bs@entry=0x7f4f886e7880, > offset=offset@entry=1152921504606834688, > new_l2_table=new_l2_table@entry=0x7f4f8ad9a0b0, > new_l2_index=new_l2_index@entry=0x7f4f8ad9a0ac) > at block/qcow2-cluster.c:525 > 525 l2_offset = s->l1_table[l1_index] & L1E_OFFSET_MASK;
Supposing that line 517 doesn't overflow "l1_index" for starters (which is an uint32_t in practice), line 519 converts "l1_index + 1" to "signed int". If the "min_size" parameter of qcow2_grow_l1_table() is negative, then the function won't do anything. Laszlo
