提交 a3548077 编写于 作者: K Kevin Wolf

qcow2: Fix refcount table size calculation

A missing factor for the refcount table entry size in the calculation
could mean that too little memory was allocated for the in-memory
representation of the table, resulting in a buffer overflow.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NMichael Tokarev <mjt@tls.msk.ru>
Tested-by: NMichael Tokarev <mjt@tls.msk.ru>
上级 8809e289
...@@ -301,7 +301,8 @@ static int alloc_refcount_block(BlockDriverState *bs, ...@@ -301,7 +301,8 @@ static int alloc_refcount_block(BlockDriverState *bs,
uint64_t last_table_size; uint64_t last_table_size;
uint64_t blocks_clusters; uint64_t blocks_clusters;
do { do {
uint64_t table_clusters = size_to_clusters(s, table_size); uint64_t table_clusters =
size_to_clusters(s, table_size * sizeof(uint64_t));
blocks_clusters = 1 + blocks_clusters = 1 +
((table_clusters + refcount_block_clusters - 1) ((table_clusters + refcount_block_clusters - 1)
/ refcount_block_clusters); / refcount_block_clusters);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册