The following integer overflow in offsets_size can lead to out-of-bounds
memory stores when n_blocks has a huge value:
uint32_t n_blocks, offsets_size;
[...]
ret = bdrv_pread(bs-file, 128 + 4, s-n_blocks, 4);
[...]
s-n_blocks = be32_to_cpu(s-n_blocks);
/* read offsets */
On 26.03.2014 13:05, Stefan Hajnoczi wrote:
The following integer overflow in offsets_size can lead to out-of-bounds
memory stores when n_blocks has a huge value:
uint32_t n_blocks, offsets_size;
[...]
ret = bdrv_pread(bs-file, 128 + 4, s-n_blocks, 4);
[...]
s-n_blocks
