[PATCH 5/7] exfat: leave room for the UTF-8 terminator

Next message: Pengpeng Hou: "[PATCH 6/7] remoteproc: validate resource table offset count"
Previous message: Pengpeng Hou: "[PATCH 1/7] ALSA: asihpi: bound control name formatting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Mon Mar 23 2026 - 03:06:40 EST

exfat_utf16_to_utf8() passes the full destination length to
utf16s_to_utf8s() and then stores a trailing NUL at p_cstring[len]. If
the UTF-8 conversion fills the destination buffer completely, len equals
buflen and the terminator write overruns the caller buffer by one byte.

Reserve one byte for the trailing NUL before the conversion and handle
zero-length buffers explicitly.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
fs/exfat/nls.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/exfat/nls.c b/fs/exfat/nls.c
index 57db08a5271c..fe3f5f9ccef3 100644
--- a/fs/exfat/nls.c
+++ b/fs/exfat/nls.c
@@ -484,8 +484,11 @@ static int exfat_utf16_to_utf8(struct super_block *sb,
const unsigned short *uniname = p_uniname->name;

/* always len >= 0 */
+ if (buflen <= 0)
+ return 0;
+
len = utf16s_to_utf8s(uniname, MAX_NAME_LENGTH, UTF16_HOST_ENDIAN,
- p_cstring, buflen);
+ p_cstring, buflen - 1);
p_cstring[len] = '\0';
return len;
}
--
2.50.1 (Apple Git-155)