qcow2: Fix qemu-img check segfault on corrupted images
With corrupted images, we can easily get an cluster index that exceeds the array size of the temporary refcount table. Signed-off-by: Kevin Wolf <kwolf@redhat.com>
This commit is contained in:
parent
20a81e4d17
commit
6882c8fa78
|
@ -1140,22 +1140,30 @@ int qcow2_check_refcounts(BlockDriverState *bs)
|
||||||
s->refcount_table_offset,
|
s->refcount_table_offset,
|
||||||
s->refcount_table_size * sizeof(uint64_t));
|
s->refcount_table_size * sizeof(uint64_t));
|
||||||
for(i = 0; i < s->refcount_table_size; i++) {
|
for(i = 0; i < s->refcount_table_size; i++) {
|
||||||
int64_t offset;
|
uint64_t offset, cluster;
|
||||||
offset = s->refcount_table[i];
|
offset = s->refcount_table[i];
|
||||||
|
cluster = offset >> s->cluster_bits;
|
||||||
|
|
||||||
/* Refcount blocks are cluster aligned */
|
/* Refcount blocks are cluster aligned */
|
||||||
if (offset & (s->cluster_size - 1)) {
|
if (offset & (s->cluster_size - 1)) {
|
||||||
fprintf(stderr, "ERROR refcount block %d is not "
|
fprintf(stderr, "ERROR refcount block %d is not "
|
||||||
"cluster aligned; refcount table entry corrupted\n", i);
|
"cluster aligned; refcount table entry corrupted\n", i);
|
||||||
errors++;
|
errors++;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (cluster >= nb_clusters) {
|
||||||
|
fprintf(stderr, "ERROR refcount block %d is outside image\n", i);
|
||||||
|
errors++;
|
||||||
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (offset != 0) {
|
if (offset != 0) {
|
||||||
errors += inc_refcounts(bs, refcount_table, nb_clusters,
|
errors += inc_refcounts(bs, refcount_table, nb_clusters,
|
||||||
offset, s->cluster_size);
|
offset, s->cluster_size);
|
||||||
if (refcount_table[offset / s->cluster_size] != 1) {
|
if (refcount_table[cluster] != 1) {
|
||||||
fprintf(stderr, "ERROR refcount block %d refcount=%d\n",
|
fprintf(stderr, "ERROR refcount block %d refcount=%d\n",
|
||||||
i, refcount_table[offset / s->cluster_size]);
|
i, refcount_table[cluster]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue