From 6eeab85db0a730ad9e7e10d18926d5033b89de84 Mon Sep 17 00:00:00 2001
From: Daniel Verkamp <dverkamp@chromium.org>
Date: Fri, 6 Dec 2019 10:17:45 +1100
Subject: [PATCH] qcow: avoid out-of-bounds access in alloc_refblocks

When all refblocks are consumed, the loop looking for the first free
cluster would access the element at refcounts[refcounts.len()], which is
out of bounds.  Modify the free cluster search loop to check that the
index is in bounds before accessing it.

Tested-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>

(cherry picked from crosvm commit f21572c7187c8beb9c6bfea6446351ae93200d01)

Fixes: #1792

Signed-off-by: Bo Chen <chen.bo@intel.com>
---
 qcow/src/qcow.rs | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/qcow/src/qcow.rs b/qcow/src/qcow.rs
index e17189b7f..37c6f5a24 100644
--- a/qcow/src/qcow.rs
+++ b/qcow/src/qcow.rs
@@ -769,11 +769,14 @@ impl QcowFile {
             let mut ref_table = vec![0; refcount_table_entries as usize];
             let mut first_free_cluster: u64 = 0;
             for refblock_addr in &mut ref_table {
-                while refcounts[first_free_cluster as usize] != 0 {
-                    first_free_cluster += 1;
+                loop {
                     if first_free_cluster >= refcounts.len() as u64 {
                         return Err(Error::NotEnoughSpaceForRefcounts);
                     }
+                    if refcounts[first_free_cluster as usize] == 0 {
+                        break;
+                    }
+                    first_free_cluster += 1;
                 }
 
                 *refblock_addr = first_free_cluster * cluster_size;