On Mon, Nov 24, 2014 at 04:56:59PM +0100, Max Reitz wrote:
> @@ -136,6 +138,34 @@ int qcow2_read_snapshots(BlockDriverState *bs)
> size_to_clusters(s, sn->l1_size *
> sizeof(uint64_t)),
> QCOW2_OL_INACTIVE_L1);
> +
> + if (!(s->overlap_check & QCOW2_OL_INACTIVE_L2)) {
> + continue;
> + }
> +
> + l1_table = qemu_try_blockalign(bs->file,
> + sn->l1_size * sizeof(uint64_t));At this point we haven't validated sn->l1_size <= QCOW_MAX_L1_SIZE. A bogus l1_size means we do a huge read and add junk into the metadata list. I think it would be best to check the value here.
pgpg7Y0ZqtxkD.pgp
Description: PGP signature
