From e49f30a76f5e910092bd285ebef3f7641a09ec2e Mon Sep 17 00:00:00 2001
From: Eric Sandeen <sandeen@redhat.com>
Date: Fri, 30 Aug 2013 03:55:16 +0000
Subject: [PATCH] xfsprogs: avoid array overflow in pf_batch_read()

The while loop in pf_batch_read, and the code preceding it, is really...
quite a thing.  I'd love to rewrite it, but I haven't yet found
a particularly cleaner way.

It cleverly hides the fact that we might increment "num" past the
last index of bplist[] and then assign to it.  This corrupts memory.

Rather than major surgery for now, just go for the simple fix,
and break out of the loop if we've increased "num" past the
last index.

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Rich Johnston <rjohnston@sgi.com>
---
 repair/prefetch.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/repair/prefetch.c b/repair/prefetch.c
index 7529f5dd1..d3491da2a 100644
--- a/repair/prefetch.c
+++ b/repair/prefetch.c
@@ -429,6 +429,8 @@ pf_batch_read(
 			if (which != PF_META_ONLY ||
 			    !B_IS_INODE(XFS_BUF_PRIORITY(bplist[num])))
 				num++;
+			if (num == MAX_BUFS)
+				break;
 			bplist[num] = btree_lookup_next(args->io_queue, &fsbno);
 		}
 		if (!num)
-- 
2.47.2