From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51035) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WStr4-0008NT-P3 for qemu-devel@nongnu.org; Wed, 26 Mar 2014 15:51:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WStqy-0004pQ-R9 for qemu-devel@nongnu.org; Wed, 26 Mar 2014 15:51:18 -0400 Message-ID: <53332FA8.6060405@redhat.com> Date: Wed, 26 Mar 2014 20:51:04 +0100 From: Max Reitz MIME-Version: 1.0 References: <1395835569-21193-1-git-send-email-stefanha@redhat.com> <1395835569-21193-8-git-send-email-stefanha@redhat.com> In-Reply-To: <1395835569-21193-8-git-send-email-stefanha@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH for-2.0 07/47] block/cloop: fix offsets[] size off-by-one List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Hajnoczi , qemu-devel@nongnu.org Cc: Kevin Wolf , pmatouse@redhat.com, qemu-stable@nongnu.org On 26.03.2014 13:05, Stefan Hajnoczi wrote: > cloop stores the number of compressed blocks in the n_blocks header > field. The file actually contains n_blocks + 1 offsets, where the extra > offset is the end-of-file offset. > > The following line in cloop_read_block() results in an out-of-bounds > offsets[] access: > > uint32_t bytes = s->offsets[block_num + 1] - s->offsets[block_num]; > > This patch allocates and loads the extra offset so that > cloop_read_block() works correctly when the last block is accessed. > > Notice that we must free s->offsets[] unconditionally now since there is > always an end-of-file offset. > > Signed-off-by: Stefan Hajnoczi > Signed-off-by: Kevin Wolf > --- > block/cloop.c | 12 +++++------- > tests/qemu-iotests/075 | 5 +++++ > tests/qemu-iotests/075.out | 4 ++++ > 3 files changed, 14 insertions(+), 7 deletions(-) Reviewed-by: Max Reitz