From: Ján Tomko Date: Mon, 30 Jan 2017 12:52:02 +0000 (+0100) Subject: util: fix off-by-one when expanding a bitmap X-Git-Tag: CVE-2017-2635~114 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a41cf18b1356118e64c431ab551f63e12d3fb64;p=thirdparty%2Flibvirt.git util: fix off-by-one when expanding a bitmap To make sure bit 'b' fits into the bitmap, we need to allocate b+1 bits, since we number from 0. Adjust the bitmap test to set a bit at a multiple of 16. That way the test fails without this fix, because the VIR_REALLOC call clears the newly added memory even if the original pointer has not changed. --- diff --git a/src/util/virbitmap.c b/src/util/virbitmap.c index 0c04f1a138..1b47d74cd7 100644 --- a/src/util/virbitmap.c +++ b/src/util/virbitmap.c @@ -187,7 +187,7 @@ int virBitmapSetBit(virBitmapPtr bitmap, size_t b) */ static int virBitmapExpand(virBitmapPtr map, size_t b) { - size_t new_len = VIR_DIV_UP(b, VIR_BITMAP_BITS_PER_UNIT); + size_t new_len = VIR_DIV_UP(b + 1, VIR_BITMAP_BITS_PER_UNIT); /* resize the memory if necessary */ if (map->map_len < new_len) { diff --git a/tests/virbitmaptest.c b/tests/virbitmaptest.c index a17ef82fb8..3ee07ff971 100644 --- a/tests/virbitmaptest.c +++ b/tests/virbitmaptest.c @@ -639,15 +639,15 @@ test12(const void *opaque ATTRIBUTE_UNUSED) TEST_MAP(0, ""); - if (virBitmapSetBitExpand(map, 100) < 0) + if (virBitmapSetBitExpand(map, 128) < 0) goto cleanup; - TEST_MAP(101, "100"); + TEST_MAP(129, "128"); if (virBitmapClearBitExpand(map, 150) < 0) goto cleanup; - TEST_MAP(151, "100"); + TEST_MAP(151, "128"); virBitmapFree(map); if (virBitmapParseUnlimited("34,1023", &map) < 0)