On Fri, 29 Mar 2019 at 15:27, Daniel P. Berrangé <berra...@redhat.com> wrote: > Yeah this code is even more of a disaster than i realized. This filename > handling is probably CVE worthy.
My subjective impression is that hw/usb/dev-mtp.c has also been a fertile source of Coverity scan issues; if anybody with an understanding of the relevant bit of the USB spec has the time to do a whole-file code review that might be worthwhile. thanks -- PMM