fs/squashfs: sqfs_read: don't write beyond buffer size

The length of the buffer wasn't taken into account when writing to the given buffer. Signed-off-by: Richard Genoud <richard.genoud@posteo.net>

fs/squashfs: sqfs_read: don't write beyond buffer size
The length of the buffer wasn't taken into account when writing to the given buffer. Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
cbd5e40e · Richard Genoud · Tom Rini · 6d25bd3e · cbd5e40e
Commit cbd5e40e authored Nov 03, 2020 by Richard Genoud Committed by Tom Rini Nov 19, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

fs/squashfs/sqfs.c fs/squashfs/sqfs.c +8 -0

No files found.
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -1415,6 +1415,8 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 		}

 		finfo.size = len;
+	} else {
+		len = finfo.size;
 	}

 	if (datablk_count) {
@@ -1461,9 +1463,13 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 			if (ret)
 				goto out;

+			if ((*actread + dest_len) > len)
+				dest_len = len - *actread;
 			memcpy(buf + offset + *actread, datablock, dest_len);
 			*actread += dest_len;
 		} else {
+			if ((*actread + table_size) > len)
+				table_size = len - *actread;
 			memcpy(buf + offset + *actread, data, table_size);
 			*actread += table_size;
 		}
@@ -1471,6 +1477,8 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 		data_offset += table_size;
 		free(data_buffer);
 		data_buffer = NULL;
+		if (*actread >= len)
+			break;
 	}

 	/*