From: chaojianhu <chaojia...@hotmail.com>
In function qcow2_do_open, if "go fail;" before calling qcow2_read_snapshots,
then snapshots
will always be NULL. When dealing with "fail:", qcow2_free_snapshots will be
called, and
s->snapshots will be dereferenced without checked.
Reported-by: chaojianhu <chaojia...@hotmail.com>
Signed-off-by: chaojianhu <chaojia...@hotmail.com>
---
block/qcow2-snapshot.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/block/qcow2-snapshot.c b/block/qcow2-snapshot.c
index 44243e0..4a8128c 100644
--- a/block/qcow2-snapshot.c
+++ b/block/qcow2-snapshot.c
@@ -35,6 +35,10 @@ void qcow2_free_snapshots(BlockDriverState *bs)
BDRVQcow2State *s = bs->opaque;
int i;
+ if (NULL == s->snapshots) {
+ return;
+ }
+
for(i = 0; i < s->nb_snapshots; i++) {
g_free(s->snapshots[i].name);
g_free(s->snapshots[i].id_str);
--
1.9.1
