udf: fix udf_build_ustr

udf_build_ustr was broken:

- size == 1:
    dest->u_len = ptr[1 - 1], but at ptr[0] there's cmpID,
    so we created string with wrong length
    it should not happen, so we BUG() it
- size > 1 and size < UDF_NAME_LEN:
    we set u_len correctly, but memcpy copied one needless byte
- size == UDF_NAME_LEN - 1:
    memcpy overwrited u_len - with correct value, but...
- size >= UDF_NAME_LEN:
    we copied UDF_NAME_LEN - 1 bytes, but dest->u_name is array
    of UDF_NAME_LEN - 2 bytes, so we were overwriting u_len with
    character from input string

nobody noticed because all callers set size
to acceptable values (constants within range)

Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>

1 files changed, 7 insertions, 5 deletions

diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c
index 05bc505ec01..24d6165d21a 100644
--- a/fs/udf/unicode.c
+++ b/fs/udf/unicode.c
@@ -48,14 +48,16 @@ int udf_build_ustr(struct ustr *dest, dstring *ptr, int size)
 {
         int usesize;
 
-        if ((!dest) || (!ptr) || (!size))
+        if (!dest || !ptr || !size)
                 return -1;
+        BUG_ON(size < 2);
 
-        memset(dest, 0, sizeof(struct ustr));
-        usesize = (size > UDF_NAME_LEN) ? UDF_NAME_LEN : size;
+        usesize = min_t(size_t, ptr[size - 1], sizeof(dest->u_name));
+        usesize = min(usesize, size - 2);
         dest->u_cmpID = ptr[0];
-        dest->u_len = ptr[size - 1];
-        memcpy(dest->u_name, ptr + 1, usesize - 1);
+        dest->u_len = usesize;
+        memcpy(dest->u_name, ptr + 1, usesize);
+        memset(dest->u_name + usesize, 0, sizeof(dest->u_name) - usesize);
 
         return 0;
 }