diff mbox

[06/11] vvfat: fix out of bounds array_get usage

Message ID 1320684918-6483-7-git-send-email-kwolf@redhat.com
State New
Headers show

Commit Message

Kevin Wolf Nov. 7, 2011, 4:55 p.m. UTC 
From: Paolo Bonzini <pbonzini@redhat.com>

When reading the address of the first free entry, you cannot
use array_get without first marking all entries as occupied.

This is visible if you change the sectors per cluster on a
floppy from 2 to 1.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 block/vvfat.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)
diff mbox

Patch

diff --git a/block/vvfat.c b/block/vvfat.c
index e1fcdbc..75d0dc0 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -799,6 +799,7 @@  static int read_directory(BDRVVVFATState* s, int mapping_index)
 	/* root directory */
 	int cur = s->directory.next;
 	array_ensure_allocated(&(s->directory), ROOT_ENTRIES - 1);
+	s->directory.next = ROOT_ENTRIES;
 	memset(array_get(&(s->directory), cur), 0,
 		(ROOT_ENTRIES - cur) * sizeof(direntry_t));
     }