Commit 3dfa23b9 authored by Kevin Wolf's avatar Kevin Wolf
Browse files

vvfat: Fix array_remove_slice() 



array_remove_slice() calls array_roll() with array->next - 1 as the
destination index. This is only correct for count == 1, otherwise we're
writing past the end of the array. array->next - count would be correct.

However, this is the only place ever calling array_roll(), so this
rather complicated operation isn't even necessary.

Fix the problem and simplify the code by replacing it with a single
memmove() call. array_roll() can now be removed.

Reported-by: default avatarNathan Huckleberry <nhuck15@gmail.com>
Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
Message-Id: <20200623175534.38286-3-kwolf@redhat.com>
Reviewed-by: default avatarEric Blake <eblake@redhat.com>
Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
parent c79e243e

block/vvfat.c

+5 −37
Original line number Diff line number Diff line
@@ -140,48 +140,16 @@ static inline void* array_insert(array_t* array,unsigned int index,unsigned int 
    return array->pointer+index*array->item_size;

}



/* this performs a "roll", so that the element which was at index_from becomes

 * index_to, but the order of all other elements is preserved. */

static inline int array_roll(array_t* array,int index_to,int index_from,int count)

{

    char* buf;

    char* from;

    char* to;

    int is;



    if(!array ||

            index_to<0 || index_to>=array->next ||

            index_from<0 || index_from>=array->next)

        return -1;



    if(index_to==index_from)

        return 0;



    is=array->item_size;

    from=array->pointer+index_from*is;

    to=array->pointer+index_to*is;

    buf=g_malloc(is*count);

    memcpy(buf,from,is*count);



    if(index_to<index_from)

        memmove(to+is*count,to,from-to);

    else

        memmove(from,from+is*count,to-from);



    memcpy(to,buf,is*count);



    g_free(buf);



    return 0;

}



static inline int array_remove_slice(array_t* array,int index, int count)

{

    assert(index >=0);

    assert(count > 0);

    assert(index + count <= array->next);

    if(array_roll(array,array->next-1,index,count))

        return -1;



    memmove(array->pointer + index * array->item_size,

            array->pointer + (index + count) * array->item_size,

            (array->next - index - count) * array->item_size);



    array->next -= count;

    return 0;

}