• Andrew Gabbasov's avatar
    udf: Prevent buffer overrun with multi-byte characters · dba4f816
    Andrew Gabbasov authored
    commit ad402b26 upstream.
    
    udf_CS0toUTF8 function stops the conversion when the output buffer
    length reaches UDF_NAME_LEN-2, which is correct maximum name length,
    but, when checking, it leaves the space for a single byte only,
    while multi-bytes output characters can take more space, causing
    buffer overflow.
    
    Similar error exists in udf_CS0toNLS function, that restricts
    the output length to UDF_NAME_LEN, while actual maximum allowed
    length is UDF_NAME_LEN-2.
    
    In these cases the output can override not only the current buffer
    length field, causing corruption of the name buffer itself, but also
    following allocation structures, causing kernel crash.
    
    Adjust the output length checks in both functions to prevent buffer
    overruns in case of multi-bytes UTF8 or NLS characters.
    Signed-off-by: default avatarAndrew Gabbasov <andrew_gabbasov@mentor.com>
    Signed-off-by: default avatarJan Kara <jack@suse.cz>
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    dba4f816
unicode.c 11.4 KB