Make sure there were no overflows when calculating the in-memory refcount table size from the number of its clusters in-file.
Signed-off-by: Max Reitz <[email protected]> --- block/qcow2.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/block/qcow2.c b/block/qcow2.c index 3e612a8..9c29e1a 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -558,6 +558,14 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, s->refcount_table_size = header.refcount_table_clusters << (s->cluster_bits - 3); + if ((s->refcount_table_size >> (s->cluster_bits - 3)) != + header.refcount_table_clusters) + { + error_setg(errp, "Refcount table is too big"); + ret = -EINVAL; + goto fail; + } + /* read the level 1 table */ s->l1_size = header.l1_size; -- 1.8.4.2
