Patchwork [1/6] vvfat: fix out of bounds array_get usage

login
register
mail settings
Submitter Paolo Bonzini
Date Oct. 5, 2011, 7:12 a.m.
Message ID <1317798728-28938-2-git-send-email-pbonzini@redhat.com>
Download mbox | patch
Permalink /patch/117747/
State New
Headers show

Comments

Paolo Bonzini - Oct. 5, 2011, 7:12 a.m.
When reading the address of the first free entry, you cannot
use array_get without first marking all entries as occupied.

This is visible if you change the sectors per cluster on a
floppy from 2 to 1.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 block/vvfat.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

Patch

diff --git a/block/vvfat.c b/block/vvfat.c
index f567c9a..cee3971 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -799,6 +799,7 @@  static int read_directory(BDRVVVFATState* s, int mapping_index)
 	/* root directory */
 	int cur = s->directory.next;
 	array_ensure_allocated(&(s->directory), ROOT_ENTRIES - 1);
+	s->directory.next = ROOT_ENTRIES;
 	memset(array_get(&(s->directory), cur), 0,
 		(ROOT_ENTRIES - cur) * sizeof(direntry_t));
     }