From: Cole Robinson Date: Fri, 4 Oct 2019 23:41:36 +0000 (-0400) Subject: storagefile: Fix backing format \0 check X-Git-Tag: v5.9.0-rc1~296 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9f0d3647553cdc3557600a9e10856f20004cff99;p=thirdparty%2Flibvirt.git storagefile: Fix backing format \0 check From qemu.git docs/interop/qcow2.txt == String header extensions == Some header extensions (such as the backing file format name and the external data file name) are just a single string. In this case, the header extension length is the string length and the string is not '\0' terminated. (The header extension padding can make it look like a string is '\0' terminated, but neither is padding always necessary nor is there a guarantee that zero bytes are used for padding.) So we shouldn't be checking for a \0 byte at the end of the backing format section. I think in practice there always is a \0 but we shouldn't depend on that. Reviewed-by: Michal Privoznik Signed-off-by: Cole Robinson --- diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c index 8cd576a463..4ee1168f0d 100644 --- a/src/util/virstoragefile.c +++ b/src/util/virstoragefile.c @@ -503,15 +503,21 @@ qcow2GetExtensions(const char *buf, break; switch (magic) { - case QCOW2_HDR_EXTENSION_END: - goto done; + case QCOW2_HDR_EXTENSION_BACKING_FORMAT: { + VIR_AUTOFREE(char *) tmp = NULL; + if (VIR_ALLOC_N(tmp, len + 1) < 0) + return -1; + memcpy(tmp, buf + offset, len); + tmp[len] = '\0'; - case QCOW2_HDR_EXTENSION_BACKING_FORMAT: - if (buf[offset+len] != '\0') - break; - *backingFormat = virStorageFileFormatTypeFromString(buf+offset); + *backingFormat = virStorageFileFormatTypeFromString(tmp); if (*backingFormat <= VIR_STORAGE_FILE_NONE) return -1; + break; + } + + case QCOW2_HDR_EXTENSION_END: + goto done; } offset += len;