diff mbox

[4/4] vvfat: initialize memory after allocating it

Message ID 20170715132841.9865-5-hpoussin@reactos.org
State New
Headers show

Commit Message

Hervé Poussineau July 15, 2017, 1:28 p.m. UTC 
This prevents some host to guest memory content leaks.

Fixes: https://bugs.launchpad.net/qemu/+bug/1599539

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
---
 block/vvfat.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Philippe Mathieu-Daudé July 15, 2017, 10:24 p.m. UTC | #1 
Hi Hervé,

On 07/15/2017 10:28 AM, Hervé Poussineau wrote:
> This prevents some host to guest memory content leaks.
> 
> Fixes: https://bugs.launchpad.net/qemu/+bug/1599539
> 
> Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
> ---
>   block/vvfat.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/block/vvfat.c b/block/vvfat.c
> index afc6170a69..7340decef3 100644
> --- a/block/vvfat.c
> +++ b/block/vvfat.c
> @@ -115,6 +115,7 @@ static inline int array_ensure_allocated(array_t* array, int index)
>           array->pointer = g_realloc(array->pointer, new_size);
>           if (!array->pointer)
>               return -1;

isn't it safer:

if (likely(new_size > array->size)) {

> +        memset(array->pointer + array->size, 0, new_size - array->size);

}

?

>           array->size = new_size;
>           array->next = index + 1;
>       }
> 

Regards,

Phil.
Hervé Poussineau July 16, 2017, 5:39 a.m. UTC | #2 
Le 16/07/2017 à 00:24, Philippe Mathieu-Daudé a écrit :
> Hi Hervé,
>
> On 07/15/2017 10:28 AM, Hervé Poussineau wrote:
>> This prevents some host to guest memory content leaks.
>>
>> Fixes: https://bugs.launchpad.net/qemu/+bug/1599539
>>
>> Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
>> ---
>>   block/vvfat.c | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/block/vvfat.c b/block/vvfat.c
>> index afc6170a69..7340decef3 100644
>> --- a/block/vvfat.c
>> +++ b/block/vvfat.c
>> @@ -115,6 +115,7 @@ static inline int array_ensure_allocated(array_t* array, int index)
>>           array->pointer = g_realloc(array->pointer, new_size);
>>           if (!array->pointer)
>>               return -1;
>
> isn't it safer:
>
> if (likely(new_size > array->size)) {

Not really, because the code is:
     if((index + 1) * array->item_size > array->size) {
         int new_size = (index + 32) * array->item_size;
         array->pointer = g_realloc(array->pointer, new_size);
         if (!array->pointer)
             return -1;
         array->size = new_size;
         array->next = index + 1;
     }

array->size is the size (in bytes) of the previous array.
new_size is (index + 32) * item_size
And, due to the "if", we know that (index + 1) * item_size > array->size.
So, new_size > array->size.

>
>> +        memset(array->pointer + array->size, 0, new_size - array->size);
>
> }
>
> ?
>
>>           array->size = new_size;
>>           array->next = index + 1;
>>       }
>>
>
> Regards,
>
> Phil.
>
diff mbox

Patch

diff --git a/block/vvfat.c b/block/vvfat.c
index afc6170a69..7340decef3 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -115,6 +115,7 @@  static inline int array_ensure_allocated(array_t* array, int index)
         array->pointer = g_realloc(array->pointer, new_size);
         if (!array->pointer)
             return -1;
+        memset(array->pointer + array->size, 0, new_size - array->size);
         array->size = new_size;
         array->next = index + 1;
     }