vvfat: fix out of bounds array_get usage

When reading the address of the first free entry, you cannot
use array_get without first marking all entries as occupied.

This is visible if you change the sectors per cluster on a
floppy from 2 to 1.

Signed-off-by: Paolo Bonzini <[email protected]>
Signed-off-by: Kevin Wolf <[email protected]>

diff --git a/block/vvfat.c b/block/vvfat.c
index e1fcdbc45bfd2926a2beefafdf9008d03a044979..75d0dc07e0d1bc120e72108854b60133de1c7da8 100644 (file)
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -799,6 +799,7 @@ static int read_directory(BDRVVVFATState* s, int mapping_index)
        /* root directory */
        int cur = s->directory.next;
        array_ensure_allocated(&(s->directory), ROOT_ENTRIES - 1);
+       s->directory.next = ROOT_ENTRIES;
        memset(array_get(&(s->directory), cur), 0,
                (ROOT_ENTRIES - cur) * sizeof(direntry_t));
     }