qcow: avoid out-of-bounds access in alloc_refblocks

When all refblocks are consumed, the loop looking for the first free cluster would access the element at refcounts[refcounts.len()], which is out of bounds. Modify the free cluster search loop to check that the index is in bounds before accessing it. BUG=chromium:1030751 TEST=qcow_fuzzer Change-Id: Ib2384b9cf1edeaadb99be5fc67c27a55c03fc6e9 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1953766 Tested-by: Daniel Verkamp <dverkamp@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Dylan Reid <dgreid@chromium.org> Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
2024-11-25 05:03:05 +00:00 · 2019-12-06 10:17:45 +11:00 · 2019-12-06 10:17:45 +11:00 · f21572c718
commit f21572c718
parent aa77ea4045
1 changed files with 5 additions and 2 deletions
--- a/qcow/src/qcow.rs
+++ b/qcow/src/qcow.rs
@ -742,11 +742,14 @@ impl QcowFile {
            let mut ref_table = vec![0; refcount_table_entries as usize];
            let mut first_free_cluster: u64 = 0;
            for refblock_addr in &mut ref_table {
-                while refcounts[first_free_cluster as usize] != 0 {
-                    first_free_cluster += 1;
+                loop {
                    if first_free_cluster >= refcounts.len() as u64 {
                        return Err(Error::NotEnoughSpaceForRefcounts);
                    }
+                    if refcounts[first_free_cluster as usize] == 0 {
+                        break;
+                    }
+                    first_free_cluster += 1;
                }

                *refblock_addr = first_free_cluster * cluster_size;