git.ipfire.org Git - thirdparty/qemu.git/commit

author	Stefan Hajnoczi <stefanha@redhat.com>
	Wed, 26 Mar 2014 12:05:29 +0000 (13:05 +0100)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Thu, 3 Jul 2014 21:18:10 +0000 (16:18 -0500)
commit	dbd3e4a75cddbd99be51d1af5b26a5f3f6a134c2
tree	3eab189a6a2f8866171a648efd061763d35d5ce1	tree
parent	0fda3e2d639fee7c3262485c48c3b5fd6c9b4114	commit \| diff

block/cloop: fix offsets[] size off-by-one

cloop stores the number of compressed blocks in the n_blocks header
field. The file actually contains n_blocks + 1 offsets, where the extra
offset is the end-of-file offset.

The following line in cloop_read_block() results in an out-of-bounds
offsets[] access:

uint32_t bytes = s->offsets[block_num + 1] - s->offsets[block_num];

This patch allocates and loads the extra offset so that
cloop_read_block() works correctly when the last block is accessed.

Notice that we must free s->offsets[] unconditionally now since there is
always an end-of-file offset.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 42d43d35d907579179a39c924d169da924786f65)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

block/cloop.c		diff \| blob \| blame \| history
tests/qemu-iotests/075		diff \| blob \| blame \| history
tests/qemu-iotests/075.out		diff \| blob \| blame \| history