Fix possible UDF data corruption
update_next_aext() could possibly rewrite values in elen and eloc, possibly leading to data corruption when rewriting a file. Use temporary variables instead. Also advance cur_epos as it can also point to an indirect extent pointer. Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
296baae254
commit
85d71244f0
@ -460,8 +460,8 @@ static struct buffer_head * inode_getblk(struct inode * inode, sector_t block,
|
|||||||
kernel_long_ad laarr[EXTENT_MERGE_SIZE];
|
kernel_long_ad laarr[EXTENT_MERGE_SIZE];
|
||||||
struct extent_position prev_epos, cur_epos, next_epos;
|
struct extent_position prev_epos, cur_epos, next_epos;
|
||||||
int count = 0, startnum = 0, endnum = 0;
|
int count = 0, startnum = 0, endnum = 0;
|
||||||
uint32_t elen = 0;
|
uint32_t elen = 0, tmpelen;
|
||||||
kernel_lb_addr eloc;
|
kernel_lb_addr eloc, tmpeloc;
|
||||||
int c = 1;
|
int c = 1;
|
||||||
loff_t lbcount = 0, b_off = 0;
|
loff_t lbcount = 0, b_off = 0;
|
||||||
uint32_t newblocknum, newblock;
|
uint32_t newblocknum, newblock;
|
||||||
@ -520,8 +520,12 @@ static struct buffer_head * inode_getblk(struct inode * inode, sector_t block,
|
|||||||
|
|
||||||
b_off -= lbcount;
|
b_off -= lbcount;
|
||||||
offset = b_off >> inode->i_sb->s_blocksize_bits;
|
offset = b_off >> inode->i_sb->s_blocksize_bits;
|
||||||
/* Move into indirect extent if we are at a pointer to it */
|
/*
|
||||||
udf_next_aext(inode, &prev_epos, &eloc, &elen, 0);
|
* Move prev_epos and cur_epos into indirect extent if we are at
|
||||||
|
* the pointer to it
|
||||||
|
*/
|
||||||
|
udf_next_aext(inode, &prev_epos, &tmpeloc, &tmpelen, 0);
|
||||||
|
udf_next_aext(inode, &cur_epos, &tmpeloc, &tmpelen, 0);
|
||||||
|
|
||||||
/* if the extent is allocated and recorded, return the block
|
/* if the extent is allocated and recorded, return the block
|
||||||
if the extent is not a multiple of the blocksize, round up */
|
if the extent is not a multiple of the blocksize, round up */
|
||||||
|
Loading…
Reference in New Issue
Block a user