[PATCH 4/7] fs/ntfs3: leave room for the UTF-8 terminator

Next message: Pengpeng Hou: "[PATCH 3/7] drm/amd/display: make HDCP connector arrays match connector IDs"
Previous message: Pengpeng Hou: "[PATCH 6/7] remoteproc: validate resource table offset count"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Mon Mar 23 2026 - 03:07:58 EST

ntfs_utf16_to_nls() passes the full destination length to
utf16s_to_utf8s() and then unconditionally writes buf[ret] = '\0'. When
the UTF-8 conversion exactly fills the caller buffer, ret equals buf_len
and that terminator write lands one byte past the end.

Reserve one byte for the trailing NUL before calling utf16s_to_utf8s()
and handle zero-length buffers explicitly.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
fs/ntfs3/dir.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c
index 4652a56ad105..df3e2a513df8 100644
--- a/fs/ntfs3/dir.c
+++ b/fs/ntfs3/dir.c
@@ -27,8 +27,11 @@ int ntfs_utf16_to_nls(struct ntfs_sb_info *sbi, const __le16 *name, u32 len,

if (!nls) {
/* UTF-16 -> UTF-8 */
+ if (buf_len <= 0)
+ return 0;
+
ret = utf16s_to_utf8s((wchar_t *)name, len, UTF16_LITTLE_ENDIAN,
- buf, buf_len);
+ buf, buf_len - 1);
buf[ret] = '\0';
return ret;
}
--
2.50.1 (Apple Git-155)