From: Paolo Bonzini <pbonzini@redhat.com>
Date: Wed, 5 Oct 2011 07:12:03 +0000 (+0200)
Subject: vvfat: fix out of bounds array_get usage
X-Git-Tag: v1.0-rc1~9^2~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2b6a43a835e5082dedc6a5eea39a59463f97c81c;p=thirdparty%2Fqemu.git

vvfat: fix out of bounds array_get usage

When reading the address of the first free entry, you cannot
use array_get without first marking all entries as occupied.

This is visible if you change the sectors per cluster on a
floppy from 2 to 1.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---

diff --git a/block/vvfat.c b/block/vvfat.c
index e1fcdbc45bf..75d0dc07e0d 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -799,6 +799,7 @@ static int read_directory(BDRVVVFATState* s, int mapping_index)
 	/* root directory */
 	int cur = s->directory.next;
 	array_ensure_allocated(&(s->directory), ROOT_ENTRIES - 1);
+	s->directory.next = ROOT_ENTRIES;
 	memset(array_get(&(s->directory), cur), 0,
 		(ROOT_ENTRIES - cur) * sizeof(direntry_t));
     }