In unix_io.c's raw_read_block(), if the initial attempt to call
pread/pread64 fails because the offset is insane, the variable
"actual" is left at -1, and then when lseek fails, the cleanup
function will try to clear (as an out-of-bounds write) a single byte
before the buffer. Fix this.
Addresses-Debian-Bug: #871539
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reported-by: Jakub Wilk <jwilk@jwilk.net>
actual = pread64(data->dev, buf, size, location);
if (actual == size)
return 0;
+ actual = 0;
}
#elif HAVE_PREAD
/* Try an aligned pread */
actual = pread(data->dev, buf, size, location);
if (actual == size)
return 0;
+ actual = 0;
}
#endif /* HAVE_PREAD */
return 0;
error_out:
- memset((char *) buf+actual, 0, size-actual);
+ if (actual >= 0 && actual < size)
+ memset((char *) buf+actual, 0, size-actual);
if (channel->read_error)
retval = (channel->read_error)(channel, block, count, buf,
size, actual, retval);