From 966ef874a8920c238d24b45bd1e8697b8dfcd4da Mon Sep 17 00:00:00 2001
From: "Darrick J. Wong" <darrick.wong@oracle.com>
Date: Tue, 2 May 2017 11:12:54 -0500
Subject: [PATCH] xfs_db: don't print arrays off the end of a buffer

Before printing an array, clamp the array count against the size of the
buffer so that we don't print random heap contents.

[sandeen: re-use fsz variable in call to prfunc]

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
---
 db/print.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/db/print.c b/db/print.c
index e31372ff6..0da36c278 100644
--- a/db/print.c
+++ b/db/print.c
@@ -144,10 +144,19 @@ print_flist_1(
 			if (fl->flags & FL_OKHIGH)
 				count = min(count, fl->high - low + 1);
 			if (fa->prfunc) {
+				int	fsz;
+				int	bitlen;
+
+				/* Don't read an array off the end of the buffer */
+				fsz = fsize(f, iocur_top->data, parentoff, 0);
+				bitlen = iocur_top->len * NBBY;
+				if ((f->flags & FLD_ARRAY) &&
+				    fl->offset + (count * fsz) > bitlen) {
+					count = (bitlen - fl->offset) / fsz;
+				}
+
 				neednl = fa->prfunc(iocur_top->data, fl->offset,
-					count, fa->fmtstr,
-					fsize(f, iocur_top->data, parentoff, 0),
-					fa->arg, low,
+					count, fa->fmtstr, fsz, fa->arg, low,
 					(f->flags & FLD_ARRAY) != 0);
 				if (neednl)
 					dbprintf("\n");
-- 
2.47.2