diff options
author | codeworkx <codeworkx@cyanogenmod.com> | 2012-09-18 18:51:21 +0200 |
---|---|---|
committer | codeworkx <codeworkx@cyanogenmod.com> | 2012-09-18 19:02:23 +0200 |
commit | f991bd2a427ec6a5e049e19745aba6a5d7f006c4 (patch) | |
tree | c6f0d428403c32c95335c34b3f0105c2e4c8087d /fs/hfsplus | |
parent | c28265764ec6ad9995eb0c761a376ffc9f141fcd (diff) | |
parent | bea37381fd9a34c6660e5195d31beea86aa3dda3 (diff) | |
download | kernel_samsung_smdk4412-f991bd2a427ec6a5e049e19745aba6a5d7f006c4.tar.gz kernel_samsung_smdk4412-f991bd2a427ec6a5e049e19745aba6a5d7f006c4.tar.bz2 kernel_samsung_smdk4412-f991bd2a427ec6a5e049e19745aba6a5d7f006c4.zip |
Merge linux-3.0.31 from korg into jellybean
Conflicts:
arch/arm/mm/proc-v7.S
drivers/base/core.c
drivers/gpu/drm/i915/i915_gem_execbuffer.c
drivers/gpu/drm/i915/intel_display.c
drivers/gpu/drm/i915/intel_lvds.c
drivers/gpu/drm/radeon/evergreen.c
drivers/gpu/drm/radeon/r100.c
drivers/gpu/drm/radeon/radeon_connectors.c
drivers/gpu/drm/radeon/rs600.c
drivers/usb/core/hub.c
drivers/usb/host/xhci-pci.c
drivers/usb/host/xhci.c
drivers/usb/serial/qcserial.c
fs/proc/base.c
Change-Id: Ia98b35db3f8c0bfd95817867d3acb85be8e5e772
Diffstat (limited to 'fs/hfsplus')
-rw-r--r-- | fs/hfsplus/catalog.c | 4 | ||||
-rw-r--r-- | fs/hfsplus/dir.c | 11 |
2 files changed, 15 insertions, 0 deletions
diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c index b4ba1b31933..408073ae7a2 100644 --- a/fs/hfsplus/catalog.c +++ b/fs/hfsplus/catalog.c @@ -360,6 +360,10 @@ int hfsplus_rename_cat(u32 cnid, err = hfs_brec_find(&src_fd); if (err) goto out; + if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) { + err = -EIO; + goto out; + } hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset, src_fd.entrylength); diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c index 4df5059c25d..159f5ebf519 100644 --- a/fs/hfsplus/dir.c +++ b/fs/hfsplus/dir.c @@ -146,6 +146,11 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir) filp->f_pos++; /* fall through */ case 1: + if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) { + err = -EIO; + goto out; + } + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength); if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) { @@ -177,6 +182,12 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir) err = -EIO; goto out; } + + if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) { + err = -EIO; + goto out; + } + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength); type = be16_to_cpu(entry.type); |