From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=43388 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1OR4As-0005mh-V8
	for qemu-devel@nongnu.org; Tue, 22 Jun 2010 10:10:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <kwolf@redhat.com>) id 1OR4Ar-0007ep-66
	for qemu-devel@nongnu.org; Tue, 22 Jun 2010 10:10:02 -0400
Received: from mx1.redhat.com ([209.132.183.28]:7955)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <kwolf@redhat.com>) id 1OR4Aq-0007eZ-VY
	for qemu-devel@nongnu.org; Tue, 22 Jun 2010 10:10:01 -0400
From: Kevin Wolf <kwolf@redhat.com>
Date: Tue, 22 Jun 2010 16:09:32 +0200
Message-Id: <1277215773-27357-14-git-send-email-kwolf@redhat.com>
In-Reply-To: <1277215773-27357-1-git-send-email-kwolf@redhat.com>
References: <1277215773-27357-1-git-send-email-kwolf@redhat.com>
Subject: [Qemu-devel] [PATCH 13/14] qcow2: Fix qemu-img check segfault on
	corrupted images
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: anthony@codemonkey.ws
Cc: kwolf@redhat.com, qemu-devel@nongnu.org

With corrupted images, we can easily get an cluster index that exceeds the
array size of the temporary refcount table.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 block/qcow2-refcount.c |   14 +++++++++++---
 1 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index c2d0e61..cedf57e 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -1140,22 +1140,30 @@ int qcow2_check_refcounts(BlockDriverState *bs)
                   s->refcount_table_offset,
                   s->refcount_table_size * sizeof(uint64_t));
     for(i = 0; i < s->refcount_table_size; i++) {
-        int64_t offset;
+        uint64_t offset, cluster;
         offset = s->refcount_table[i];
+        cluster = offset >> s->cluster_bits;
 
         /* Refcount blocks are cluster aligned */
         if (offset & (s->cluster_size - 1)) {
             fprintf(stderr, "ERROR refcount block %d is not "
                 "cluster aligned; refcount table entry corrupted\n", i);
             errors++;
+            continue;
+        }
+
+        if (cluster >= nb_clusters) {
+            fprintf(stderr, "ERROR refcount block %d is outside image\n", i);
+            errors++;
+            continue;
         }
 
         if (offset != 0) {
             errors += inc_refcounts(bs, refcount_table, nb_clusters,
                           offset, s->cluster_size);
-            if (refcount_table[offset / s->cluster_size] != 1) {
+            if (refcount_table[cluster] != 1) {
                 fprintf(stderr, "ERROR refcount block %d refcount=%d\n",
-                    i, refcount_table[offset / s->cluster_size]);
+                    i, refcount_table[cluster]);
             }
         }
     }
-- 
1.6.6.1