qemu-img: Fix segfault during rebase

This fixes a possible read beyond the end of the temporary buffers used for
comparing data in the old and the new backing file.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

diff --git a/qemu-img.c b/qemu-img.c
index 0db8d4f1944f5656aec6fa98ef415ad9faad37dc..0465e4a3a838f7075f804efacdbc6b4999a0c1ea 100644 (file)
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -1224,7 +1224,7 @@ static int img_rebase(int argc, char **argv)
                 int pnum;
 
                 if (compare_sectors(buf_old + written * 512,
-                    buf_new + written * 512, n, &pnum))
+                    buf_new + written * 512, n - written, &pnum))
                 {
                     ret = bdrv_write(bs, sector + written,
                         buf_old + written * 512, pnum);