review.tizen.org Git - platform/kernel/linux-exynos.git/commit

author	Andrew Gabbasov <andrew_gabbasov@mentor.com>
	Thu, 24 Dec 2015 16:25:32 +0000 (10:25 -0600)
committer	Sasha Levin <sasha.levin@oracle.com>
	Mon, 1 Feb 2016 19:54:12 +0000 (14:54 -0500)
commit	d6341753c418d3699948290d8c0b9d9dc78bd209
tree	3d0c159023b5931bddc94f567b9deaa5a5631082	tree \| snapshot
parent	eaf7c91b334172cc4ec2871940baee3cc0ebeede	commit \| diff

udf: Prevent buffer overrun with multi-byte characters

[ Upstream commit ad402b265ecf6fa22d04043b41444cdfcdf4f52d ]

udf_CS0toUTF8 function stops the conversion when the output buffer
length reaches UDF_NAME_LEN-2, which is correct maximum name length,
but, when checking, it leaves the space for a single byte only,
while multi-bytes output characters can take more space, causing
buffer overflow.

Similar error exists in udf_CS0toNLS function, that restricts
the output length to UDF_NAME_LEN, while actual maximum allowed
length is UDF_NAME_LEN-2.

In these cases the output can override not only the current buffer
length field, causing corruption of the name buffer itself, but also
following allocation structures, causing kernel crash.

Adjust the output length checks in both functions to prevent buffer
overruns in case of multi-bytes UTF8 or NLS characters.

CC: stable@vger.kernel.org
Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>