diff options
author | Jan Kara <jack@suse.cz> | 2009-02-04 13:46:11 -0500 |
---|---|---|
committer | Jan Kara <jack@suse.cz> | 2009-04-02 06:29:53 -0400 |
commit | 59285c28d18b77437e6dc7c2abb9aaee10ec3a75 (patch) | |
tree | 70e567d2372045363f5062b59619f680f65172c3 /fs | |
parent | 557f5a1468394069da2bd6a63e23970ff12aa072 (diff) |
udf: Fix oops when invalid character in filename occurs
Functions udf_CS0toNLS() and udf_NLStoCS0() didn't count with the fact that
NLS can return negative length when invalid character is given to it for
conversion. Thus interesting things could happen (such as overwriting random
memory with the rest of filename). Add appropriate checks.
Signed-off-by: Jan Kara <jack@suse.cz>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/udf/unicode.c | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c index a3bbdbde9f4b..cefa8c8913e6 100644 --- a/fs/udf/unicode.c +++ b/fs/udf/unicode.c | |||
@@ -254,7 +254,7 @@ static int udf_CS0toNLS(struct nls_table *nls, struct ustr *utf_o, | |||
254 | { | 254 | { |
255 | const uint8_t *ocu; | 255 | const uint8_t *ocu; |
256 | uint8_t cmp_id, ocu_len; | 256 | uint8_t cmp_id, ocu_len; |
257 | int i; | 257 | int i, len; |
258 | 258 | ||
259 | 259 | ||
260 | ocu_len = ocu_i->u_len; | 260 | ocu_len = ocu_i->u_len; |
@@ -279,8 +279,13 @@ static int udf_CS0toNLS(struct nls_table *nls, struct ustr *utf_o, | |||
279 | if (cmp_id == 16) | 279 | if (cmp_id == 16) |
280 | c = (c << 8) | ocu[i++]; | 280 | c = (c << 8) | ocu[i++]; |
281 | 281 | ||
282 | utf_o->u_len += nls->uni2char(c, &utf_o->u_name[utf_o->u_len], | 282 | len = nls->uni2char(c, &utf_o->u_name[utf_o->u_len], |
283 | UDF_NAME_LEN - utf_o->u_len); | 283 | UDF_NAME_LEN - utf_o->u_len); |
284 | /* Valid character? */ | ||
285 | if (len >= 0) | ||
286 | utf_o->u_len += len; | ||
287 | else | ||
288 | utf_o->u_name[utf_o->u_len++] = '?'; | ||
284 | } | 289 | } |
285 | utf_o->u_cmpID = 8; | 290 | utf_o->u_cmpID = 8; |
286 | 291 | ||
@@ -290,7 +295,8 @@ static int udf_CS0toNLS(struct nls_table *nls, struct ustr *utf_o, | |||
290 | static int udf_NLStoCS0(struct nls_table *nls, dstring *ocu, struct ustr *uni, | 295 | static int udf_NLStoCS0(struct nls_table *nls, dstring *ocu, struct ustr *uni, |
291 | int length) | 296 | int length) |
292 | { | 297 | { |
293 | unsigned len, i, max_val; | 298 | int len; |
299 | unsigned i, max_val; | ||
294 | uint16_t uni_char; | 300 | uint16_t uni_char; |
295 | int u_len; | 301 | int u_len; |
296 | 302 | ||
@@ -302,8 +308,13 @@ try_again: | |||
302 | u_len = 0U; | 308 | u_len = 0U; |
303 | for (i = 0U; i < uni->u_len; i++) { | 309 | for (i = 0U; i < uni->u_len; i++) { |
304 | len = nls->char2uni(&uni->u_name[i], uni->u_len - i, &uni_char); | 310 | len = nls->char2uni(&uni->u_name[i], uni->u_len - i, &uni_char); |
305 | if (len <= 0) | 311 | if (!len) |
306 | continue; | 312 | continue; |
313 | /* Invalid character, deal with it */ | ||
314 | if (len < 0) { | ||
315 | len = 1; | ||
316 | uni_char = '?'; | ||
317 | } | ||
307 | 318 | ||
308 | if (uni_char > max_val) { | 319 | if (uni_char > max_val) { |
309 | max_val = 0xffffU; | 320 | max_val = 0xffffU; |