aboutsummaryrefslogtreecommitdiff
path: root/block
diff options
context:
space:
mode:
authorKevin Wolf <kwolf@redhat.com>2010-02-16 15:54:49 +0100
committerAnthony Liguori <aliguori@us.ibm.com>2010-02-19 15:53:54 -0600
commit4805bb66969622f86376191c94c4748bce91e6be (patch)
treea93deae6e05d0608f7c5ce6d0e95927ed5a02c9d /block
parent0f853a386739b22e541e6e65ed60a0cb37713340 (diff)
downloadqemu-4805bb66969622f86376191c94c4748bce91e6be.zip
qemu-4805bb66969622f86376191c94c4748bce91e6be.tar.gz
qemu-4805bb66969622f86376191c94c4748bce91e6be.tar.bz2
qcow2: Fix access after end of array
If a write requests crosses a L2 table boundary and all clusters until the end of the L2 table are usable for the request, we must not look at the next L2 entry because we already have arrived at the end of the array. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'block')
-rw-r--r--block/qcow2-cluster.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 3501a94..b13b693 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -750,12 +750,15 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,
while (i < nb_clusters) {
i += count_contiguous_clusters(nb_clusters - i, s->cluster_size,
&l2_table[l2_index], i, 0);
-
- if(be64_to_cpu(l2_table[l2_index + i]))
+ if ((i >= nb_clusters) || be64_to_cpu(l2_table[l2_index + i])) {
break;
+ }
i += count_contiguous_free_clusters(nb_clusters - i,
&l2_table[l2_index + i]);
+ if (i >= nb_clusters) {
+ break;
+ }
cluster_offset = be64_to_cpu(l2_table[l2_index + i]);
@@ -763,6 +766,7 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,
(cluster_offset & QCOW_OFLAG_COMPRESSED))
break;
}
+ assert(i <= nb_clusters);
nb_clusters = i;
/*