[PATCH v2 25/28] fs/squashfs: sqfs_read: don't write beyond buffer size

Tue, 03 Nov 2020 03:18:24 -0800 

The length of the buffer wasn't taken into account when writing to the
given buffer.

Signed-off-by: Richard Genoud <richard.gen...@posteo.net>
---
 fs/squashfs/sqfs.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index fa3120aefd6..4710b2bd707 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -1416,6 +1416,8 @@ int sqfs_read(const char *filename, void *buf, loff_t 
offset, loff_t len,
                }
 
                finfo.size = len;
+       } else {
+               len = finfo.size;
        }
 
        if (datablk_count) {
@@ -1462,9 +1464,13 @@ int sqfs_read(const char *filename, void *buf, loff_t 
offset, loff_t len,
                        if (ret)
                                goto out;
 
+                       if ((*actread + dest_len) > len)
+                               dest_len = len - *actread;
                        memcpy(buf + offset + *actread, datablock, dest_len);
                        *actread += dest_len;
                } else {
+                       if ((*actread + table_size) > len)
+                               table_size = len - *actread;
                        memcpy(buf + offset + *actread, data, table_size);
                        *actread += table_size;
                }
@@ -1472,6 +1478,8 @@ int sqfs_read(const char *filename, void *buf, loff_t 
offset, loff_t len,
                data_offset += table_size;
                free(data_buffer);
                data_buffer = NULL;
+               if (*actread >= len)
+                       break;
        }
 
        /*

Reply via email to