Am 10.08.2017 um 09:52 hat Hu Chaojian geschrieben:
> From: chaojianhu <chaojia...@hotmail.com>
>
> In function qcow2_do_open, if "go fail;" before calling qcow2_read_snapshots,
> then snapshots
> will always be NULL. When dealing with "fail:", qcow2_free_snapshots will be
> called, and
> s->snapshots will be dereferenced without checked.
Did you try to reproduce an actual crash?
Becasue I don't think there will be one. In this case, s->nb_snapshots
is 0, so the loop doesn't even run.
Kevin
> Reported-by: chaojianhu <chaojia...@hotmail.com>
> Signed-off-by: chaojianhu <chaojia...@hotmail.com>
>
> ---
> block/qcow2-snapshot.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/block/qcow2-snapshot.c b/block/qcow2-snapshot.c
> index 44243e0..4a8128c 100644
> --- a/block/qcow2-snapshot.c
> +++ b/block/qcow2-snapshot.c
> @@ -35,6 +35,10 @@ void qcow2_free_snapshots(BlockDriverState *bs)
> BDRVQcow2State *s = bs->opaque;
> int i;
>
> + if (NULL == s->snapshots) {
> + return;
> + }
> +
> for(i = 0; i < s->nb_snapshots; i++) {
> g_free(s->snapshots[i].name);
> g_free(s->snapshots[i].id_str);
> --
> 1.9.1
>
