Looks like I left a gaping hole in fruit_pread when reading from the AFP_AfpInfo stream. fruit_pread doesn't check the offset and length parameters and instead always writes 60 bytes, the size of the AFP_AfpInfo blob, to the the passed buffer. If the passed in buffer is smaller, we overwrite something somewhere. :/
Created attachment 11201 [details] Patch for master Patch and torture test for master.
Comment on attachment 11201 [details] Patch for master if (offset + n > AFP_INFO_SIZE) { Can't offset+n overflow here?
Created attachment 11224 [details] Patch for master Thanks! This one hopefully doees it right.
Created attachment 11227 [details] Patch for 4.2 cherry-picked from master
Reassigning to Karolin for inclusion in 4.2.
Pushed to autobuild-v4-2-test.
(In reply to Karolin Seeger from comment #6) Pushed to v4-2-test. Closing out bug report. Thanks!