fs/squashfs: sqfs_read: don't write beyond buffer size

The length of the buffer wasn't taken into account when writing to the given buffer. Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
author: Richard Genoud 2020-11-03 12:11:23 +0100
committer: Tom Rini 2020-11-19 09:45:49 -0500
commit: cbd5e40ede4e5c6aedce9475325bdf80b7fa839b (patch)
tree: 56c385bc02404d248bed95312ccaf1adcfd5dfcc /fs
parent: 6d25bd3e9c1d317cdbd52a4c6bba11f912bb4d6a (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index 435081638b8..1ecdd01cf7c 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -1415,6 +1415,8 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 		}
 
 		finfo.size = len;
+	} else {
+		len = finfo.size;
 	}
 
 	if (datablk_count) {
@@ -1461,9 +1463,13 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 			if (ret)
 				goto out;
 
+			if ((*actread + dest_len) > len)
+				dest_len = len - *actread;
 			memcpy(buf + offset + *actread, datablock, dest_len);
 			*actread += dest_len;
 		} else {
+			if ((*actread + table_size) > len)
+				table_size = len - *actread;
 			memcpy(buf + offset + *actread, data, table_size);
 			*actread += table_size;
 		}
@@ -1471,6 +1477,8 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 		data_offset += table_size;
 		free(data_buffer);
 		data_buffer = NULL;
+		if (*actread >= len)
+			break;
 	}
 
 	/*
author	Richard Genoud	2020-11-03 12:11:23 +0100
committer	Tom Rini	2020-11-19 09:45:49 -0500
commit	cbd5e40ede4e5c6aedce9475325bdf80b7fa839b (patch)
tree	56c385bc02404d248bed95312ccaf1adcfd5dfcc /fs
parent	6d25bd3e9c1d317cdbd52a4c6bba11f912bb4d6a (diff)