udf: fix udf_build_ustr

udf_build_ustr was broken:

- size == 1:
    dest->u_len = ptr[1 - 1], but at ptr[0] there's cmpID,
    so we created string with wrong length
    it should not happen, so we BUG() it
- size > 1 and size < UDF_NAME_LEN:
    we set u_len correctly, but memcpy copied one needless byte
- size == UDF_NAME_LEN - 1:
    memcpy overwrited u_len - with correct value, but...
- size >= UDF_NAME_LEN:
    we copied UDF_NAME_LEN - 1 bytes, but dest->u_name is array
    of UDF_NAME_LEN - 2 bytes, so we were overwriting u_len with
    character from input string

nobody noticed because all callers set size
to acceptable values (constants within range)

Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>

diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c
index 05bc505ec01a752ad7e1fa48a49fc2a97321051b..24d6165d21a9349b8b90e1f2806c471a0bec601a 100644 (file)
--- a/fs/udf/unicode.c
+++ b/fs/udf/unicode.c
@@ -48,14 +48,16 @@ int udf_build_ustr(struct ustr *dest, dstring *ptr, int size)
 {
        int usesize;
 
-       if ((!dest) || (!ptr) || (!size))
+       if (!dest || !ptr || !size)
                return -1;
+       BUG_ON(size < 2);
 
-       memset(dest, 0, sizeof(struct ustr));
-       usesize = (size > UDF_NAME_LEN) ? UDF_NAME_LEN : size;
+       usesize = min_t(size_t, ptr[size - 1], sizeof(dest->u_name));
+       usesize = min(usesize, size - 2);
        dest->u_cmpID = ptr[0];
-       dest->u_len = ptr[size - 1];
-       memcpy(dest->u_name, ptr + 1, usesize - 1);
+       dest->u_len = usesize;
+       memcpy(dest->u_name, ptr + 1, usesize);
+       memset(dest->u_name + usesize, 0, sizeof(dest->u_name) - usesize);
 
        return 0;
 }