libext2fs: avoid potential out-of-bounds write if pread/pread64 fails

In unix_io.c's raw_read_block(), if the initial attempt to call
pread/pread64 fails because the offset is insane, the variable
"actual" is left at -1, and then when lseek fails, the cleanup
function will try to clear (as an out-of-bounds write) a single byte
before the buffer.  Fix this.

Addresses-Debian-Bug: #871539

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reported-by: Jakub Wilk <jwilk@jwilk.net>

diff --git a/lib/ext2fs/unix_io.c b/lib/ext2fs/unix_io.c
index f4e6148..6414195 100644 (file)
--- a/lib/ext2fs/unix_io.c
+++ b/lib/ext2fs/unix_io.c
@@ -185,6 +185,7 @@ static errcode_t raw_read_blk(io_channel channel,
                actual = pread64(data->dev, buf, size, location);
                if (actual == size)
                        return 0;
+               actual = 0;
        }
 #elif HAVE_PREAD
        /* Try an aligned pread */
@@ -195,6 +196,7 @@ static errcode_t raw_read_blk(io_channel channel,
                actual = pread(data->dev, buf, size, location);
                if (actual == size)
                        return 0;
+               actual = 0;
        }
 #endif /* HAVE_PREAD */
 
@@ -247,7 +249,8 @@ bounce_read:
        return 0;
 
 error_out:
-       memset((char *) buf+actual, 0, size-actual);
+       if (actual >= 0 && actual < size)
+               memset((char *) buf+actual, 0, size-actual);
        if (channel->read_error)
                retval = (channel->read_error)(channel, block, count, buf,
                                               size, actual, retval);