From ce8663ee13e68b8f21dce6e2cf612d3809519787 Mon Sep 17 00:00:00 2001

From: Alasdair G Kergon <agk@redhat.com>

Date: Wed, 10 Jan 2018 02:03:32 +0000

Subject: [PATCH 12/25] allocation: Avoid exceeding array bounds in allocation

 tag code

If _limit_to_one_area_per_tag() changes nothing it writes beyond

the array.

(cherry picked from commit bacc94233368cf136b55e2574e969e7f53b31c6c)

Conflicts:

	WHATS_NEW

---

 WHATS_NEW               | 4 ++++

 lib/metadata/lv_manip.c | 3 ++-

 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/WHATS_NEW b/WHATS_NEW

index 2163a5e..9375a86 100644

--- a/WHATS_NEW

+++ b/WHATS_NEW

@@ -1,3 +1,7 @@

+Version 2.02.178 - 

+=====================================

+  Avoid exceeding array bounds in allocation tag processing.

+

 Version 2.02.177 - 18th December 2017

 =====================================

   When writing text metadata content, use complete 4096 byte blocks.

diff --git a/lib/metadata/lv_manip.c b/lib/metadata/lv_manip.c

index 70dc2d9..ac30dad 100644

--- a/lib/metadata/lv_manip.c

+++ b/lib/metadata/lv_manip.c

@@ -2737,7 +2737,8 @@ static int _limit_to_one_area_per_tag(struct alloc_handle *ah, struct alloc_stat

 		s++;

 	}

-	alloc_state->areas[u].pva = NULL;

+	if (u < alloc_state->areas_size)

+		alloc_state->areas[u].pva = NULL;

 	return 1;

 }

-- 

1.8.3.1