tags 871539 +pending
thanks
Thanks for reporting this bug. This will be fixed in the next
release.
- Ted
commit 15cb3b973ed67262606e6aa68b3e64c59e997aac
Author: Theodore Ts'o <ty...@mit.edu>
Date: Tue Aug 22 11:23:21 2017 -0400
libext2fs: avoid potential out-of-bounds write if pread/pread64 fails
In unix_io.c's raw_read_block(), if the initial attempt to call
pread/pread64 fails because the offset is insane, the variable
"actual" is left at -1, and then when lseek fails, the cleanup
function will try to clear (as an out-of-bounds write) a single byte
before the buffer. Fix this.
Addresses-Debian-Bug: #871539
Signed-off-by: Theodore Ts'o <ty...@mit.edu>
Reported-by: Jakub Wilk <jw...@jwilk.net>
diff --git a/lib/ext2fs/unix_io.c b/lib/ext2fs/unix_io.c
index f4e6148c4..64141954e 100644
--- a/lib/ext2fs/unix_io.c
+++ b/lib/ext2fs/unix_io.c
@@ -185,6 +185,7 @@ static errcode_t raw_read_blk(io_channel channel,
actual = pread64(data->dev, buf, size, location);
if (actual == size)
return 0;
+ actual = 0;
}
#elif HAVE_PREAD
/* Try an aligned pread */
@@ -195,6 +196,7 @@ static errcode_t raw_read_blk(io_channel channel,
actual = pread(data->dev, buf, size, location);
if (actual == size)
return 0;
+ actual = 0;
}
#endif /* HAVE_PREAD */
@@ -247,7 +249,8 @@ bounce_read:
return 0;
error_out:
- memset((char *) buf+actual, 0, size-actual);
+ if (actual >= 0 && actual < size)
+ memset((char *) buf+actual, 0, size-actual);
if (channel->read_error)
retval = (channel->read_error)(channel, block, count, buf,
size, actual, retval);
