From: Richard Genoud <richard.genoud@posteo.net>
Date: Tue, 3 Nov 2020 11:11:23 +0000 (+0100)
Subject: fs/squashfs: sqfs_read: don't write beyond buffer size
X-Git-Tag: submit/tizen/20210106.015723~4
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=bb5b6958ed7e67a6e8c53dcddb398a0a01bf19d2;p=platform%2Fkernel%2Fu-boot.git

fs/squashfs: sqfs_read: don't write beyond buffer size

The length of the buffer wasn't taken into account when writing to the
given buffer.

Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
[jh80.chung: cherry picked from mainline commit cbd5e40ede4e5c6aedce9475325bdf80b7fa839b]
Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>

Change-Id: I14d9af77ac0a2c0d3e52c39824f3854dbbc4d58a
---

diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index c8aded48f9..7ac480cf57 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -1418,6 +1418,8 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 		}
 
 		finfo.size = len;
+	} else {
+		len = finfo.size;
 	}
 
 	if (datablk_count) {
@@ -1464,9 +1466,13 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 			if (ret)
 				goto out;
 
+			if ((*actread + dest_len) > len)
+				dest_len = len - *actread;
 			memcpy(buf + offset + *actread, datablock, dest_len);
 			*actread += dest_len;
 		} else {
+			if ((*actread + table_size) > len)
+				table_size = len - *actread;
 			memcpy(buf + offset + *actread, data, table_size);
 			*actread += table_size;
 		}
@@ -1474,6 +1480,8 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 		data_offset += table_size;
 		free(data_buffer);
 		data_buffer = NULL;
+		if (*actread >= len)
+			break;
 	}
 
 	/*