projects / platform / kernel / u-boot.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7f4008a)
fs/squashfs: sqfs_read: don't write beyond buffer size
authorRichard Genoud <richard.genoud@posteo.net>
Tue, 3 Nov 2020 11:11:23 +0000 (12:11 +0100)
committerMarek Szyprowski <m.szyprowski@samsung.com>
Mon, 15 Nov 2021 10:37:12 +0000 (11:37 +0100)
The length of the buffer wasn't taken into account when writing to the
given buffer.

Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
[jh80.chung: cherry picked from mainline commit cbd5e40ede4e5c6aedce9475325bdf80b7fa839b]
Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
Change-Id: I14d9af77ac0a2c0d3e52c39824f3854dbbc4d58a

fs/squashfs/sqfs.c patch | blob | history

diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index c8aded48f90c2efebbe3a5a8688eed61cd8e7b3c..7ac480cf5702a1b4e4684d877a13f376ed8041ff 100644 (file)
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -1418,6 +1418,8 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
                }
 
                finfo.size = len;
+       } else {
+               len = finfo.size;
        }
 
        if (datablk_count) {
@@ -1464,9 +1466,13 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
                        if (ret)
                                goto out;
 
+                       if ((*actread + dest_len) > len)
+                               dest_len = len - *actread;
                        memcpy(buf + offset + *actread, datablock, dest_len);
                        *actread += dest_len;
                } else {
+                       if ((*actread + table_size) > len)
+                               table_size = len - *actread;
                        memcpy(buf + offset + *actread, data, table_size);
                        *actread += table_size;
                }
@@ -1474,6 +1480,8 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
                data_offset += table_size;
                free(data_buffer);
                data_buffer = NULL;
+               if (*actread >= len)
+                       break;
        }
 
        /*
Domain: System / Kernel;