Make sure the refcount table size will not overflow when multiplied by
sizeof(uint64_t) and implicitly casted to int.
Signed-off-by: Max Reitz <mre...@redhat.com>
---
block/qcow2-refcount.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 1ff43d0..2912097 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -42,6 +42,10 @@ int qcow2_refcount_init(BlockDriverState *bs)
BDRVQcowState *s = bs->opaque;
int ret, refcount_table_size2, i;
+ if (s->refcount_table_size >= INT_MAX / sizeof(uint64_t)) {
+ goto fail;
+ }
+
refcount_table_size2 = s->refcount_table_size * sizeof(uint64_t);
s->refcount_table = g_malloc(refcount_table_size2);
if (s->refcount_table_size > 0) {
--
1.8.4.2
