Fix possible UDF data corruption

update_next_aext() could possibly rewrite values in elen and eloc, possibly
leading to data corruption when rewriting a file.  Use temporary variables
instead.  Also advance cur_epos as it can also point to an indirect extent
pointer.

Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Jan Kara 2007-06-01 00:46:29 -07:00 committed by Linus Torvalds
parent 296baae254
commit 85d71244f0

View File

@ -460,8 +460,8 @@ static struct buffer_head * inode_getblk(struct inode * inode, sector_t block,
kernel_long_ad laarr[EXTENT_MERGE_SIZE]; kernel_long_ad laarr[EXTENT_MERGE_SIZE];
struct extent_position prev_epos, cur_epos, next_epos; struct extent_position prev_epos, cur_epos, next_epos;
int count = 0, startnum = 0, endnum = 0; int count = 0, startnum = 0, endnum = 0;
uint32_t elen = 0; uint32_t elen = 0, tmpelen;
kernel_lb_addr eloc; kernel_lb_addr eloc, tmpeloc;
int c = 1; int c = 1;
loff_t lbcount = 0, b_off = 0; loff_t lbcount = 0, b_off = 0;
uint32_t newblocknum, newblock; uint32_t newblocknum, newblock;
@ -520,8 +520,12 @@ static struct buffer_head * inode_getblk(struct inode * inode, sector_t block,
b_off -= lbcount; b_off -= lbcount;
offset = b_off >> inode->i_sb->s_blocksize_bits; offset = b_off >> inode->i_sb->s_blocksize_bits;
/* Move into indirect extent if we are at a pointer to it */ /*
udf_next_aext(inode, &prev_epos, &eloc, &elen, 0); * Move prev_epos and cur_epos into indirect extent if we are at
* the pointer to it
*/
udf_next_aext(inode, &prev_epos, &tmpeloc, &tmpelen, 0);
udf_next_aext(inode, &cur_epos, &tmpeloc, &tmpelen, 0);
/* if the extent is allocated and recorded, return the block /* if the extent is allocated and recorded, return the block
if the extent is not a multiple of the blocksize, round up */ if the extent is not a multiple of the blocksize, round up */