From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1Niaux-0003FV-42
	for qemu-devel@nongnu.org; Fri, 19 Feb 2010 17:01:47 -0500
Received: from [199.232.76.173] (port=48985 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Niauw-0003F0-BP
	for qemu-devel@nongnu.org; Fri, 19 Feb 2010 17:01:46 -0500
Received: from Debian-exim by monty-python.gnu.org with spam-scanned (Exim
	4.60) (envelope-from <anthony@codemonkey.ws>) id 1Niauu-0002EF-N7
	for qemu-devel@nongnu.org; Fri, 19 Feb 2010 17:01:45 -0500
Received: from mail-yx0-f200.google.com ([209.85.210.200]:56619)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <anthony@codemonkey.ws>) id 1Niauu-0002CQ-CS
	for qemu-devel@nongnu.org; Fri, 19 Feb 2010 17:01:44 -0500
Received: by mail-yx0-f200.google.com with SMTP id 38so521972yxe.4
	for <qemu-devel@nongnu.org>; Fri, 19 Feb 2010 14:01:44 -0800 (PST)
Message-ID: <4B7F0A44.6060609@codemonkey.ws>
Date: Fri, 19 Feb 2010 16:01:40 -0600
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH] qcow2: Fix access after end of array
References: <1266332089-14381-1-git-send-email-kwolf@redhat.com>
In-Reply-To: <1266332089-14381-1-git-send-email-kwolf@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Kevin Wolf <kwolf@redhat.com>
Cc: qemu-devel@nongnu.org

On 02/16/2010 08:54 AM, Kevin Wolf wrote:
> If a write requests crosses a L2 table boundary and all clusters until the
> end of the L2 table are usable for the request, we must not look at the next
> L2 entry because we already have arrived at the end of the array.
>
> Signed-off-by: Kevin Wolf<kwolf@redhat.com>
>    

Applied.  Thanks.

Regards,

Anthony Liguori
> ---
>   block/qcow2-cluster.c |    8 ++++++--
>   1 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
> index 3501a94..b13b693 100644
> --- a/block/qcow2-cluster.c
> +++ b/block/qcow2-cluster.c
> @@ -750,12 +750,15 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,
>       while (i<  nb_clusters) {
>           i += count_contiguous_clusters(nb_clusters - i, s->cluster_size,
>                   &l2_table[l2_index], i, 0);
> -
> -        if(be64_to_cpu(l2_table[l2_index + i]))
> +        if ((i>= nb_clusters) || be64_to_cpu(l2_table[l2_index + i])) {
>               break;
> +        }
>
>           i += count_contiguous_free_clusters(nb_clusters - i,
>                   &l2_table[l2_index + i]);
> +        if (i>= nb_clusters) {
> +            break;
> +        }
>
>           cluster_offset = be64_to_cpu(l2_table[l2_index + i]);
>
> @@ -763,6 +766,7 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,
>                   (cluster_offset&  QCOW_OFLAG_COMPRESSED))
>               break;
>       }
> +    assert(i<= nb_clusters);
>       nb_clusters = i;
>
>       /*
>