ext4: fix possible access violation when copying name fields

diff --git a/include/ext4_types.h b/include/ext4_types.h
index a7170a7fecc66e247c017b3f8ed8987d943da900..4f934f22b80608fc223261c9ae8721675fb13ad3 100644 (file)
--- a/include/ext4_types.h
+++ b/include/ext4_types.h
@@ -495,8 +495,7 @@ struct ext4_dir_en {
        uint8_t name_len;   /* Lower 8 bits of name length */
 
        union ext4_dir_en_internal in;
-
-       uint8_t name[EXT4_DIRECTORY_FILENAME_LEN]; /* Entry name */
+       uint8_t name[]; /* Entry name */
 };
 
 /* Structures for indexed directory */

diff --git a/src/ext4.c b/src/ext4.c
index 86c5c1dc5e5dc92f1d0cba99c69fc0ecb91d5f0e..db7745f678043ef1a5565733533af2d74af95757 100644 (file)
--- a/src/ext4.c
+++ b/src/ext4.c
@@ -2949,6 +2949,7 @@ const ext4_direntry *ext4_dir_entry_next(ext4_dir *d)
 #define EXT4_DIR_ENTRY_OFFSET_TERM (uint64_t)(-1)
 
        int r;
+       uint16_t name_length;
        ext4_direntry *de = 0;
        struct ext4_inode_ref dir;
        struct ext4_dir_iter it;
@@ -2971,7 +2972,18 @@ const ext4_direntry *ext4_dir_entry_next(ext4_dir *d)
                goto Finish;
        }
 
-       memcpy(&d->de, it.curr, sizeof(ext4_direntry));
+       memset(&d->de.name, 0, sizeof(d->de.name));
+       name_length = ext4_dir_en_get_name_len(&d->f.mp->fs.sb,
+                                              it.curr);
+       memcpy(&d->de.name, it.curr->name, name_length);
+
+       /* Directly copying the content isn't safe for Big-endian targets*/
+       d->de.inode = ext4_dir_en_get_inode(it.curr);
+       d->de.entry_length = ext4_dir_en_get_entry_len(it.curr);
+       d->de.name_length = name_length;
+       d->de.inode_type = ext4_dir_en_get_inode_type(&d->f.mp->fs.sb,
+                                                     it.curr);
+
        de = &d->de;
 
        ext4_dir_iterator_next(&it);