From: Gao Xiang <hsiangkao@linux.alibaba.com>
Date: Fri, 2 Aug 2024 01:55:26 +0000 (+0800)
Subject: erofs-utils: lib: fix out-of-bounds in erofs_io_xcopy()
X-Git-Tag: v1.8~12
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=945b6fe176507681791f44b3813f5fec18b1cca3;p=platform%2Fupstream%2Ferofs-utils.git

erofs-utils: lib: fix out-of-bounds in erofs_io_xcopy()

Coverity-id: 502334
Reviewed-by: Sandeep Dhavale <dhavale@google.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Link: https://lore.kernel.org/r/20240802015527.2113797-2-hsiangkao@linux.alibaba.com
---

diff --git a/include/erofs/io.h b/include/erofs/io.h
index f53abed..d9b33d2 100644
--- a/include/erofs/io.h
+++ b/include/erofs/io.h
@@ -34,7 +34,7 @@ struct erofs_vfops {
 	off_t (*lseek)(struct erofs_vfile *vf, u64 offset, int whence);
 	int (*fstat)(struct erofs_vfile *vf, struct stat *buf);
 	int (*xcopy)(struct erofs_vfile *vout, off_t pos,
-		     struct erofs_vfile *vin, int len, bool noseek);
+		     struct erofs_vfile *vin, unsigned int len, bool noseek);
 };
 
 /* don't extend this; instead, use payload for any extra information */
@@ -61,7 +61,7 @@ off_t erofs_io_lseek(struct erofs_vfile *vf, u64 offset, int whence);
 ssize_t erofs_copy_file_range(int fd_in, u64 *off_in, int fd_out, u64 *off_out,
 			      size_t length);
 int erofs_io_xcopy(struct erofs_vfile *vout, off_t pos,
-		   struct erofs_vfile *vin, int len, bool noseek);
+		   struct erofs_vfile *vin, unsigned int len, bool noseek);
 
 #ifdef __cplusplus
 }
diff --git a/lib/io.c b/lib/io.c
index 9167321..4937db5 100644
--- a/lib/io.c
+++ b/lib/io.c
@@ -490,7 +490,7 @@ off_t erofs_io_lseek(struct erofs_vfile *vf, u64 offset, int whence)
 }
 
 int erofs_io_xcopy(struct erofs_vfile *vout, off_t pos,
-		   struct erofs_vfile *vin, int len, bool noseek)
+		   struct erofs_vfile *vin, unsigned int len, bool noseek)
 {
 	if (vout->ops)
 		return vout->ops->xcopy(vout, pos, vin, len, noseek);
@@ -519,7 +519,7 @@ int erofs_io_xcopy(struct erofs_vfile *vout, off_t pos,
 
 	do {
 		char buf[32768];
-		int ret = min_t(int, len, sizeof(buf));
+		int ret = min_t(unsigned int, len, sizeof(buf));
 
 		ret = erofs_io_read(vin, buf, ret);
 		if (ret < 0)