[U-Boot] [PATCH] fs: ext4: Prevent erasing buffer past file size

[Marek Vasut]

The variable 'n' represents the number of bytes to be read from a certain
offset in a file, to a certain offset in buffer 'buf'. The variable 'len'
represents the length of the entire file, clamped correctly to avoid any
overflows.

Therefore, comparing 'n' and 'len' to determine whether clearing 'n'
bytes of the buffer 'buf' at a certain offset would clear data past
buffer 'buf' cannot lead to a correct result, since the 'n' does not
contain the offset from the beginning of the file.

This patch keeps track of the amount of data read and checks for the
buffer overflow by comparing the 'n' to the remaining amount of data
to be read instead.

Signed-off-by: Marek Vasut <marex at denx.de>
Cc: Ian Ray <ian.ray at ge.com>
Cc: Martyn Welch <martyn.welch at collabora.co.uk>
Cc: Stefano Babic <sbabic at denx.de>
Cc: Tom Rini <trini at konsulko.com>
Fixes: ecdfb4195b20 ("ext4: recover from filesystem corruption when reading")
---
 fs/ext4/ext4fs.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
index 2a28031d14..537aa05eff 100644
--- a/fs/ext4/ext4fs.c
+++ b/fs/ext4/ext4fs.c
@@ -60,6 +60,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
 	lbaint_t delayed_extent = 0;
 	lbaint_t delayed_skipfirst = 0;
 	lbaint_t delayed_next = 0;
+	lbaint_t read_total = 0;
 	char *delayed_buf = NULL;
 	short status;
 
@@ -140,13 +141,14 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
 					return -1;
 				previous_block_number = -1;
 			}
-			/* Zero no more than `len' bytes. */
+			/* Zero no more than 'filesize' bytes. */
 			n = blocksize - skipfirst;
-			if (n > len)
-				n = len;
+			if (n > (len - read_total))
+				n = (len - read_total);
 			memset(buf, 0, n);
 		}
 		buf += blocksize - skipfirst;
+		read_total += blocksize - skipfirst;
 	}
 	if (previous_block_number != -1) {
 		/* spill */
-- 
2.16.2