From 15cb3b973ed67262606e6aa68b3e64c59e997aac Mon Sep 17 00:00:00 2001 From: Theodore Ts'o Date: Tue, 22 Aug 2017 11:23:21 -0400 Subject: [PATCH] libext2fs: avoid potential out-of-bounds write if pread/pread64 fails In unix_io.c's raw_read_block(), if the initial attempt to call pread/pread64 fails because the offset is insane, the variable "actual" is left at -1, and then when lseek fails, the cleanup function will try to clear (as an out-of-bounds write) a single byte before the buffer. Fix this. Addresses-Debian-Bug: #871539 Signed-off-by: Theodore Ts'o Reported-by: Jakub Wilk --- lib/ext2fs/unix_io.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/ext2fs/unix_io.c b/lib/ext2fs/unix_io.c index f4e6148..6414195 100644 --- a/lib/ext2fs/unix_io.c +++ b/lib/ext2fs/unix_io.c @@ -185,6 +185,7 @@ static errcode_t raw_read_blk(io_channel channel, actual = pread64(data->dev, buf, size, location); if (actual == size) return 0; + actual = 0; } #elif HAVE_PREAD /* Try an aligned pread */ @@ -195,6 +196,7 @@ static errcode_t raw_read_blk(io_channel channel, actual = pread(data->dev, buf, size, location); if (actual == size) return 0; + actual = 0; } #endif /* HAVE_PREAD */ @@ -247,7 +249,8 @@ bounce_read: return 0; error_out: - memset((char *) buf+actual, 0, size-actual); + if (actual >= 0 && actual < size) + memset((char *) buf+actual, 0, size-actual); if (channel->read_error) retval = (channel->read_error)(channel, block, count, buf, size, actual, retval); -- 1.8.3.1