The variable 'n' represents the number of bytes to be read from a certain offset in a file, to a certain offset in buffer 'buf'. The variable 'len' represents the length of the entire file, clamped correctly to avoid any overflows.
Therefore, comparing 'n' and 'len' to determine whether clearing 'n' bytes of the buffer 'buf' at a certain offset would clear data past buffer 'buf' cannot lead to a correct result, since the 'n' does not contain the offset from the beginning of the file. This patch keeps track of the amount of data read and checks for the buffer overflow by comparing the 'n' to the remaining amount of data to be read instead. Signed-off-by: Marek Vasut <[email protected]> Cc: Ian Ray <[email protected]> Cc: Martyn Welch <[email protected]> Cc: Stefano Babic <[email protected]> Cc: Tom Rini <[email protected]> Fixes: ecdfb4195b20 ("ext4: recover from filesystem corruption when reading") --- fs/ext4/ext4fs.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c index 2a28031d14..537aa05eff 100644 --- a/fs/ext4/ext4fs.c +++ b/fs/ext4/ext4fs.c @@ -60,6 +60,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, lbaint_t delayed_extent = 0; lbaint_t delayed_skipfirst = 0; lbaint_t delayed_next = 0; + lbaint_t read_total = 0; char *delayed_buf = NULL; short status; @@ -140,13 +141,14 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, return -1; previous_block_number = -1; } - /* Zero no more than `len' bytes. */ + /* Zero no more than 'filesize' bytes. */ n = blocksize - skipfirst; - if (n > len) - n = len; + if (n > (len - read_total)) + n = (len - read_total); memset(buf, 0, n); } buf += blocksize - skipfirst; + read_total += blocksize - skipfirst; } if (previous_block_number != -1) { /* spill */ -- 2.16.2 _______________________________________________ U-Boot mailing list [email protected] https://lists.denx.de/listinfo/u-boot
