diff options
author | Marcin Slusarz <marcin.slusarz@gmail.com> | 2008-02-04 16:27:39 -0500 |
---|---|---|
committer | Jan Kara <jack@suse.cz> | 2008-04-17 08:22:24 -0400 |
commit | 6305a0a9d559e97807b8bc6d5250fd525dc571a7 (patch) | |
tree | 5f644150de3fac27458f347cf9d59d0a52ba3611 /fs/udf/unicode.c | |
parent | 79cfe0ff5fb585b92126365a2881262945ac0ee9 (diff) |
udf: fix udf_build_ustr
udf_build_ustr was broken:
- size == 1:
dest->u_len = ptr[1 - 1], but at ptr[0] there's cmpID,
so we created string with wrong length
it should not happen, so we BUG() it
- size > 1 and size < UDF_NAME_LEN:
we set u_len correctly, but memcpy copied one needless byte
- size == UDF_NAME_LEN - 1:
memcpy overwrited u_len - with correct value, but...
- size >= UDF_NAME_LEN:
we copied UDF_NAME_LEN - 1 bytes, but dest->u_name is array
of UDF_NAME_LEN - 2 bytes, so we were overwriting u_len with
character from input string
nobody noticed because all callers set size
to acceptable values (constants within range)
Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Diffstat (limited to 'fs/udf/unicode.c')
-rw-r--r-- | fs/udf/unicode.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c index 05bc505ec01a..24d6165d21a9 100644 --- a/fs/udf/unicode.c +++ b/fs/udf/unicode.c | |||
@@ -48,14 +48,16 @@ int udf_build_ustr(struct ustr *dest, dstring *ptr, int size) | |||
48 | { | 48 | { |
49 | int usesize; | 49 | int usesize; |
50 | 50 | ||
51 | if ((!dest) || (!ptr) || (!size)) | 51 | if (!dest || !ptr || !size) |
52 | return -1; | 52 | return -1; |
53 | BUG_ON(size < 2); | ||
53 | 54 | ||
54 | memset(dest, 0, sizeof(struct ustr)); | 55 | usesize = min_t(size_t, ptr[size - 1], sizeof(dest->u_name)); |
55 | usesize = (size > UDF_NAME_LEN) ? UDF_NAME_LEN : size; | 56 | usesize = min(usesize, size - 2); |
56 | dest->u_cmpID = ptr[0]; | 57 | dest->u_cmpID = ptr[0]; |
57 | dest->u_len = ptr[size - 1]; | 58 | dest->u_len = usesize; |
58 | memcpy(dest->u_name, ptr + 1, usesize - 1); | 59 | memcpy(dest->u_name, ptr + 1, usesize); |
60 | memset(dest->u_name + usesize, 0, sizeof(dest->u_name) - usesize); | ||
59 | 61 | ||
60 | return 0; | 62 | return 0; |
61 | } | 63 | } |