From 6305a0a9d559e97807b8bc6d5250fd525dc571a7 Mon Sep 17 00:00:00 2001 From: Marcin Slusarz Date: Mon, 4 Feb 2008 22:27:39 +0100 Subject: udf: fix udf_build_ustr udf_build_ustr was broken: - size == 1: dest->u_len = ptr[1 - 1], but at ptr[0] there's cmpID, so we created string with wrong length it should not happen, so we BUG() it - size > 1 and size < UDF_NAME_LEN: we set u_len correctly, but memcpy copied one needless byte - size == UDF_NAME_LEN - 1: memcpy overwrited u_len - with correct value, but... - size >= UDF_NAME_LEN: we copied UDF_NAME_LEN - 1 bytes, but dest->u_name is array of UDF_NAME_LEN - 2 bytes, so we were overwriting u_len with character from input string nobody noticed because all callers set size to acceptable values (constants within range) Signed-off-by: Marcin Slusarz Signed-off-by: Jan Kara --- fs/udf/unicode.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'fs') diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c index 05bc505..24d6165 100644 --- a/fs/udf/unicode.c +++ b/fs/udf/unicode.c @@ -48,14 +48,16 @@ int udf_build_ustr(struct ustr *dest, dstring *ptr, int size) { int usesize; - if ((!dest) || (!ptr) || (!size)) + if (!dest || !ptr || !size) return -1; + BUG_ON(size < 2); - memset(dest, 0, sizeof(struct ustr)); - usesize = (size > UDF_NAME_LEN) ? UDF_NAME_LEN : size; + usesize = min_t(size_t, ptr[size - 1], sizeof(dest->u_name)); + usesize = min(usesize, size - 2); dest->u_cmpID = ptr[0]; - dest->u_len = ptr[size - 1]; - memcpy(dest->u_name, ptr + 1, usesize - 1); + dest->u_len = usesize; + memcpy(dest->u_name, ptr + 1, usesize); + memset(dest->u_name + usesize, 0, sizeof(dest->u_name) - usesize); return 0; } -- cgit v1.1