Fix possible NULL pointer dereference in udf_table_free_blocks()
authorJan Kara <jack@suse.cz>
Fri, 31 Aug 2007 06:56:22 +0000 (23:56 -0700)
committerLinus Torvalds <torvalds@woody.linux-foundation.org>
Fri, 31 Aug 2007 08:42:22 +0000 (01:42 -0700)
Fix possible NULL pointer dereference when freeing blocks in case table of
free space is used.  Also fix handling of the case when we need to move
extent from one block to another one to make space for indirect extent.
BTW: Nobody seem to have ever used this code.

Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/udf/balloc.c

index 276f7207a5642369ba2d56dabad2b683f9444388..87e87dcd3f9c94db447581b9f718ac92ea13c146 100644 (file)
@@ -540,26 +540,24 @@ static void udf_table_free_blocks(struct super_block *sb,
                        if (epos.offset + adsize > sb->s_blocksize) {
                                loffset = epos.offset;
                                aed->lengthAllocDescs = cpu_to_le32(adsize);
-                               sptr = UDF_I_DATA(inode) + epos.offset -
-                                       udf_file_entry_alloc_offset(inode) +
-                                       UDF_I_LENEATTR(inode) - adsize;
+                               sptr = UDF_I_DATA(table) + epos.offset - adsize;
                                dptr = epos.bh->b_data + sizeof(struct allocExtDesc);
                                memcpy(dptr, sptr, adsize);
                                epos.offset = sizeof(struct allocExtDesc) + adsize;
                        } else {
                                loffset = epos.offset + adsize;
                                aed->lengthAllocDescs = cpu_to_le32(0);
-                               sptr = oepos.bh->b_data + epos.offset;
-                               epos.offset = sizeof(struct allocExtDesc);
-
                                if (oepos.bh) {
+                                       sptr = oepos.bh->b_data + epos.offset;
                                        aed = (struct allocExtDesc *)oepos.bh->b_data;
                                        aed->lengthAllocDescs =
                                                cpu_to_le32(le32_to_cpu(aed->lengthAllocDescs) + adsize);
                                } else {
+                                       sptr = UDF_I_DATA(table) + epos.offset;
                                        UDF_I_LENALLOC(table) += adsize;
                                        mark_inode_dirty(table);
                                }
+                               epos.offset = sizeof(struct allocExtDesc);
                        }
                        if (UDF_SB_UDFREV(sb) >= 0x0200)
                                udf_new_tag(epos.bh->b_data, TAG_IDENT_AED, 3, 1,