Fix recovery of directory index in inode reader

Apparently mksquashfs writes an actual usage count (1 = 1 entry,
2 = 2 entries; i.e. NOT off by one).

Also, if it does happen to be garbage, guard against an overflow.

Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>

1 files changed, 7 insertions, 3 deletions

diff --git a/lib/sqfs/read_inode.c b/lib/sqfs/read_inode.c
index e47395a..fa3ec31 100644
--- a/lib/sqfs/read_inode.c
+++ b/lib/sqfs/read_inode.c
@@ -261,7 +261,7 @@ static int read_inode_dir_ext(sqfs_meta_reader_t *ir, sqfs_inode_t *base,
 		return 0;
 	}
 
-	for (i = 0; i <= dir.inodex_count; ++i) {
+	for (i = 0; i < dir.inodex_count; ++i) {
 		err = sqfs_meta_reader_read(ir, &ent, sizeof(ent));
 		if (err) {
 			free(out);
@@ -273,8 +273,12 @@ static int read_inode_dir_ext(sqfs_meta_reader_t *ir, sqfs_inode_t *base,
 		SWAB32(ent.size);
 
 		new_sz = index_max;
-		while (sizeof(ent) + ent.size + 1 > new_sz - index_used)
-			new_sz *= 2;
+		while (sizeof(ent) + ent.size + 1 > new_sz - index_used) {
+			if (SZ_MUL_OV(new_sz, 2, &new_sz)) {
+				free(out);
+				return SQFS_ERROR_OVERFLOW;
+			}
+		}
 
 		if (new_sz > index_max) {
 			new = realloc(out, sizeof(*out) + new_sz);