The len variable is a signed integer, therefore it may overflow when reading the backing file name length from the qcow2 image header. This case should be handled explicitly.
Signed-off-by: Max Reitz <[email protected]> --- block/qcow2.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/block/qcow2.c b/block/qcow2.c index 9c29e1a..e54176e 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -630,6 +630,11 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, /* read the backing file name */ if (header.backing_file_offset != 0) { len = header.backing_file_size; + if (len < 0) { + error_setg(errp, "Backing file name length is negative"); + ret = -EINVAL; + goto fail; + } if (len > 1023) { len = 1023; } -- 1.8.4.2
