udf: Fix uninitialized array access for some pathnames

jankara · jankara · commit 028f6055c912 · 2023-06-21T11:53:06.000+02:00
For filenames that begin with . and are between 2 and 5 characters long, UDF charset conversion code would read uninitialized memory in the output buffer. The only practical impact is that the name may be prepended a "unification hash" when it is not actually needed but still it is good to fix this. Reported-by: syzbot+cd311b1e43cc25f90d18@syzkaller.appspotmail.com Link: https://lore.kernel.org/all/000000000000e2638a05fe9dc8f9@google.com Signed-off-by: Jan Kara <jack@suse.cz>
diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c
@@ -243,7 +243,7 @@ static int udf_name_from_CS0(struct super_block *sb,
 	}
 
 	if (translate) {
-		if (str_o_len <= 2 && str_o[0] == '.' &&
+		if (str_o_len > 0 && str_o_len <= 2 && str_o[0] == '.' &&
 		    (str_o_len == 1 || str_o[1] == '.'))
 			needsCRC = 1;
 		if (needsCRC) {

Original file line number	Diff line number	Diff line change
`@@ -243,7 +243,7 @@ static int udf_name_from_CS0(struct super_block *sb,`
`243`	`243`	`}`
`244`	`244`
`245`	`245`	`if (translate) {`
`246`		`- if (str_o_len <= 2 && str_o[0] == '.' &&`
	`246`	`+ if (str_o_len > 0 && str_o_len <= 2 && str_o[0] == '.' &&`
`247`	`247`	`(str_o_len == 1 \|\| str_o[1] == '.'))`
`248`	`248`	`needsCRC = 1;`
`249`	`249`	`if (needsCRC) {`