From 21b1b3bad58b50e5464b1bf016e7c96bf18ddb8d Mon Sep 17 00:00:00 2001
From: Richard Genoud <richard.genoud@posteo.net>
Date: Tue, 3 Nov 2020 12:11:24 +0100
Subject: fs/squashfs: sqfs_read: remove buggy offset functionality

offset is the offset in the file read, not the offset in the destination
buffer.
If the offset is not null, this will lead to a memory corruption.
So, for now, we are returning an error if the offset is used.

Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
---
 fs/squashfs/sqfs.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index 1ecdd01cf7..80a85e76e8 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -1326,6 +1326,14 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 
 	*actread = 0;
 
+	if (offset) {
+		/*
+		 * TODO: implement reading at an offset in file
+		 */
+		printf("Error: reading at a specific offset in a squashfs file is not supported yet.\n");
+		return -EINVAL;
+	}
+
 	/*
 	 * sqfs_opendir will uncompress inode and directory tables, and will
 	 * return a pointer to the directory that contains the requested file.
@@ -1465,12 +1473,12 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 
 			if ((*actread + dest_len) > len)
 				dest_len = len - *actread;
-			memcpy(buf + offset + *actread, datablock, dest_len);
+			memcpy(buf + *actread, datablock, dest_len);
 			*actread += dest_len;
 		} else {
 			if ((*actread + table_size) > len)
 				table_size = len - *actread;
-			memcpy(buf + offset + *actread, data, table_size);
+			memcpy(buf + *actread, data, table_size);
 			*actread += table_size;
 		}
 
@@ -1522,7 +1530,7 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 			goto out;
 		}
 
-		for (j = offset + *actread; j < finfo.size; j++) {
+		for (j = *actread; j < finfo.size; j++) {
 			memcpy(buf + j, &fragment_block[finfo.offset + j], 1);
 			(*actread)++;
 		}
@@ -1532,7 +1540,7 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 	} else if (finfo.frag && !finfo.comp) {
 		fragment_block = (void *)fragment + table_offset;
 
-		for (j = offset + *actread; j < finfo.size; j++) {
+		for (j = *actread; j < finfo.size; j++) {
 			memcpy(buf + j, &fragment_block[finfo.offset + j], 1);
 			(*actread)++;
 		}
-- 
cgit v1.2.3