Re: [PATCH] SquashFS, XZ: Don't use uninitialized variable insquashfs_xz_uncompress
From: Andrew Morton
Date: Mon Jan 24 2011 - 17:44:53 EST
On Thu, 20 Jan 2011 21:53:23 +0100 (CET)
Jesper Juhl <jj@xxxxxxxxxxxxx> wrote:
> In fs/squashfs/xz_wrapper.c::squashfs_xz_uncompress() we have this code:
>
> enum xz_ret xz_err;
> ...
> do {
> if (stream->buf.in_pos == stream->buf.in_size && k < b) {
> ... [nothing that assigns to 'xz_err'] ...
> if (avail == 0) {
> offset = 0;
> put_bh(bh[k++]);
> continue;
> }
> ...
> } while (xz_err == XZ_OK);
>
> If we hit that 'continue' statement the first time through, then the
> 'while' condition will be testing an uninitialized 'xz_err' - not what we
> want.
>
> This patch should take care of the problem by making sure that 'xz_err' is
> initialized to 'XZ_OK' at the start of the function.
>
> Signed-off-by: Jesper Juhl <jj@xxxxxxxxxxxxx>
> ---
> xz_wrapper.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> compile tested only.
>
> diff --git a/fs/squashfs/xz_wrapper.c b/fs/squashfs/xz_wrapper.c
> index 856756c..daf76c3 100644
> --- a/fs/squashfs/xz_wrapper.c
> +++ b/fs/squashfs/xz_wrapper.c
> @@ -74,7 +74,7 @@ static int squashfs_xz_uncompress(struct squashfs_sb_info *msblk, void **buffer,
> struct buffer_head **bh, int b, int offset, int length, int srclength,
> int pages)
> {
> - enum xz_ret xz_err;
> + enum xz_ret xz_err = XZ_OK;
> int avail, total = 0, k = 0, page = 0;
> struct squashfs_xz *stream = msblk->stream;
>
hm, maybe. The handling of the `avail == 0' case looks odd. It sits
there in a loop doing wait_on_buffer() against buffers which it will
never use and possible reporting -EIO for a buffer which it didn't use,
which seems bogus.
Phillip, please check?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/