On 08/27/2014 02:18 PM, Max Reitz wrote:
> If the qcow2 check function detects a refcount block located beyond the
> image end, grow the image appropriately. This cannot break anything and
> is the logical fix for such a case.
> 
> Signed-off-by: Max Reitz <mreitz@redhat.com>
> ---
>  block/qcow2-refcount.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++----
>  1 file changed, 58 insertions(+), 4 deletions(-)
> 
> diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
> index babe6cb..394a402 100644
> --- a/block/qcow2-refcount.c
> +++ b/block/qcow2-refcount.c
> @@ -1505,7 +1505,8 @@ static int check_refblocks(BlockDriverState *bs, BdrvCheckResult *res,
>                             int64_t *nb_clusters)
>  {
>      BDRVQcowState *s = bs->opaque;
> -    int64_t i;
> +    int64_t i, size;
> +    int ret;
>  
>      for(i = 0; i < s->refcount_table_size; i++) {

Is it worth fixing up the whitespace on this 'for' at any point in the
series?


> +            if (fix & BDRV_FIX_ERRORS) {
> +                int64_t old_nb_clusters = *nb_clusters;
> +
> +                if (offset + s->cluster_size < offset ||
> +                    offset + s->cluster_size > INT64_MAX)

[1]

> +
> +                *refcount_table = g_try_realloc(*refcount_table,
> +                        *nb_clusters * sizeof(uint16_t));

I was about to complain that this multiply could overflow if
*nb_clusters is more than 2**62 bits, until I double checked that due to
the limit checking at [1], we know *nb_clusters is narrower.

Reviewed-by: Eric Blake <eblake@redhat.com>

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org