udf: fix udf_build_ustr
udf_build_ustr was broken: - size == 1: dest->u_len = ptr[1 - 1], but at ptr[0] there's cmpID, so we created string with wrong length it should not happen, so we BUG() it - size > 1 and size < UDF_NAME_LEN: we set u_len correctly, but memcpy copied one needless byte - size == UDF_NAME_LEN - 1: memcpy overwrited u_len - with correct value, but... - size >= UDF_NAME_LEN: we copied UDF_NAME_LEN - 1 bytes, but dest->u_name is array of UDF_NAME_LEN - 2 bytes, so we were overwriting u_len with character from input string nobody noticed because all callers set size to acceptable values (constants within range) Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz>
This commit is contained in:
parent
79cfe0ff5f
commit
6305a0a9d5
@ -48,14 +48,16 @@ int udf_build_ustr(struct ustr *dest, dstring *ptr, int size)
|
|||||||
{
|
{
|
||||||
int usesize;
|
int usesize;
|
||||||
|
|
||||||
if ((!dest) || (!ptr) || (!size))
|
if (!dest || !ptr || !size)
|
||||||
return -1;
|
return -1;
|
||||||
|
BUG_ON(size < 2);
|
||||||
|
|
||||||
memset(dest, 0, sizeof(struct ustr));
|
usesize = min_t(size_t, ptr[size - 1], sizeof(dest->u_name));
|
||||||
usesize = (size > UDF_NAME_LEN) ? UDF_NAME_LEN : size;
|
usesize = min(usesize, size - 2);
|
||||||
dest->u_cmpID = ptr[0];
|
dest->u_cmpID = ptr[0];
|
||||||
dest->u_len = ptr[size - 1];
|
dest->u_len = usesize;
|
||||||
memcpy(dest->u_name, ptr + 1, usesize - 1);
|
memcpy(dest->u_name, ptr + 1, usesize);
|
||||||
|
memset(dest->u_name + usesize, 0, sizeof(dest->u_name) - usesize);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user