[PATCH v2 25/28] fs/squashfs: sqfs_read: don't write beyond buffer size
Richard Genoud
richard.genoud at posteo.net
Tue Nov 3 12:11:23 CET 2020
The length of the buffer wasn't taken into account when writing to the
given buffer.
Signed-off-by: Richard Genoud <richard.genoud at posteo.net>
---
fs/squashfs/sqfs.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index fa3120aefd6..4710b2bd707 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -1416,6 +1416,8 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
}
finfo.size = len;
+ } else {
+ len = finfo.size;
}
if (datablk_count) {
@@ -1462,9 +1464,13 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
if (ret)
goto out;
+ if ((*actread + dest_len) > len)
+ dest_len = len - *actread;
memcpy(buf + offset + *actread, datablock, dest_len);
*actread += dest_len;
} else {
+ if ((*actread + table_size) > len)
+ table_size = len - *actread;
memcpy(buf + offset + *actread, data, table_size);
*actread += table_size;
}
@@ -1472,6 +1478,8 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
data_offset += table_size;
free(data_buffer);
data_buffer = NULL;
+ if (*actread >= len)
+ break;
}
/*
More information about the U-Boot
mailing list