From patchwork Tue Feb 16 14:54:49 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kevin Wolf X-Patchwork-Id: 45505 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [199.232.76.165]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id D4DB9B6F08 for ; Wed, 17 Feb 2010 01:58:35 +1100 (EST) Received: from localhost ([127.0.0.1]:59764 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1NhOsT-0002Sm-0P for incoming@patchwork.ozlabs.org; Tue, 16 Feb 2010 09:58:17 -0500 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1NhOpx-000224-He for qemu-devel@nongnu.org; Tue, 16 Feb 2010 09:55:41 -0500 Received: from [199.232.76.173] (port=52366 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1NhOpw-00021f-Su for qemu-devel@nongnu.org; Tue, 16 Feb 2010 09:55:41 -0500 Received: from Debian-exim by monty-python.gnu.org with spam-scanned (Exim 4.60) (envelope-from ) id 1NhOpu-0005F9-Q4 for qemu-devel@nongnu.org; Tue, 16 Feb 2010 09:55:40 -0500 Received: from mx1.redhat.com ([209.132.183.28]:42660) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1NhOpu-0005Et-Dm for qemu-devel@nongnu.org; Tue, 16 Feb 2010 09:55:38 -0500 Received: from int-mx04.intmail.prod.int.phx2.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.17]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o1GEtbGj022718 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 16 Feb 2010 09:55:37 -0500 Received: from localhost.localdomain (dhcp-5-175.str.redhat.com [10.32.5.175]) by int-mx04.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o1GEtZmD004367; Tue, 16 Feb 2010 09:55:36 -0500 From: Kevin Wolf To: qemu-devel@nongnu.org Date: Tue, 16 Feb 2010 15:54:49 +0100 Message-Id: <1266332089-14381-1-git-send-email-kwolf@redhat.com> X-Scanned-By: MIMEDefang 2.67 on 10.5.11.17 X-detected-operating-system: by monty-python.gnu.org: Genre and OS details not recognized. Cc: kwolf@redhat.com Subject: [Qemu-devel] [PATCH] qcow2: Fix access after end of array X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org If a write requests crosses a L2 table boundary and all clusters until the end of the L2 table are usable for the request, we must not look at the next L2 entry because we already have arrived at the end of the array. Signed-off-by: Kevin Wolf --- block/qcow2-cluster.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c index 3501a94..b13b693 100644 --- a/block/qcow2-cluster.c +++ b/block/qcow2-cluster.c @@ -750,12 +750,15 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset, while (i < nb_clusters) { i += count_contiguous_clusters(nb_clusters - i, s->cluster_size, &l2_table[l2_index], i, 0); - - if(be64_to_cpu(l2_table[l2_index + i])) + if ((i >= nb_clusters) || be64_to_cpu(l2_table[l2_index + i])) { break; + } i += count_contiguous_free_clusters(nb_clusters - i, &l2_table[l2_index + i]); + if (i >= nb_clusters) { + break; + } cluster_offset = be64_to_cpu(l2_table[l2_index + i]); @@ -763,6 +766,7 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset, (cluster_offset & QCOW_OFLAG_COMPRESSED)) break; } + assert(i <= nb_clusters); nb_clusters = i; /*