From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:56074)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1RBLeI-0005OP-NE
	for qemu-devel@nongnu.org; Wed, 05 Oct 2011 03:12:17 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1RBLeH-0005Kc-RS
	for qemu-devel@nongnu.org; Wed, 05 Oct 2011 03:12:14 -0400
Received: from mail-wy0-f173.google.com ([74.125.82.173]:40277)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1RBLeH-0005Je-N2
	for qemu-devel@nongnu.org; Wed, 05 Oct 2011 03:12:13 -0400
Received: by wyh22 with SMTP id 22so1502868wyh.4
	for <qemu-devel@nongnu.org>; Wed, 05 Oct 2011 00:12:12 -0700 (PDT)
Sender: Paolo Bonzini <paolo.bonzini@gmail.com>
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Wed,  5 Oct 2011 09:12:03 +0200
Message-Id: <1317798728-28938-2-git-send-email-pbonzini@redhat.com>
In-Reply-To: <1317798728-28938-1-git-send-email-pbonzini@redhat.com>
References: <1317798728-28938-1-git-send-email-pbonzini@redhat.com>
Subject: [Qemu-devel] [PATCH 1/6] vvfat: fix out of bounds array_get usage
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

When reading the address of the first free entry, you cannot
use array_get without first marking all entries as occupied.

This is visible if you change the sectors per cluster on a
floppy from 2 to 1.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 block/vvfat.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/block/vvfat.c b/block/vvfat.c
index f567c9a..cee3971 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -799,6 +799,7 @@ static int read_directory(BDRVVVFATState* s, int mapping_index)
 	/* root directory */
 	int cur = s->directory.next;
 	array_ensure_allocated(&(s->directory), ROOT_ENTRIES - 1);
+	s->directory.next = ROOT_ENTRIES;
 	memset(array_get(&(s->directory), cur), 0,
 		(ROOT_ENTRIES - cur) * sizeof(direntry_t));
     }
-- 
1.7.6