diff options
author | David Oberhollenzer <david.oberhollenzer@sigma-star.at> | 2019-08-23 12:10:16 +0200 |
---|---|---|
committer | David Oberhollenzer <david.oberhollenzer@sigma-star.at> | 2019-08-23 12:10:16 +0200 |
commit | 029a8db2701afb0653c6e789c878bb768ceb87e1 (patch) | |
tree | 86b1c8406d6c7755d19017d98406177660403f54 /lib/sqfs/id_table_read.c | |
parent | 7c028e224978e1d5a4f207cc42b9eb58d81897dd (diff) |
Do bounds checking in metadata reader
In all cases where metadata blocks are read, we can roughly (in some
cases even preciesly) say in what range those metadata blocks will be,
so it makes sense to throw an error if an attempt is made to wander
outside this range.
Furthermore, when reading from an uncompressed block, it is more reasonable
to check against the actual block bounds than to padd it with 0 bytes.
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Diffstat (limited to 'lib/sqfs/id_table_read.c')
-rw-r--r-- | lib/sqfs/id_table_read.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/lib/sqfs/id_table_read.c b/lib/sqfs/id_table_read.c index a310fd4..ccb0fc8 100644 --- a/lib/sqfs/id_table_read.c +++ b/lib/sqfs/id_table_read.c @@ -15,6 +15,7 @@ int id_table_read(id_table_t *tbl, int fd, sqfs_super_t *super, compressor_t *cmp) { + uint64_t upper_limit, lower_limit; size_t i; if (tbl->ids != NULL) { @@ -29,10 +30,24 @@ int id_table_read(id_table_t *tbl, int fd, sqfs_super_t *super, return -1; } + upper_limit = super->id_table_start; + lower_limit = super->directory_table_start; + + if (super->fragment_table_start > lower_limit && + super->fragment_table_start < upper_limit) { + lower_limit = super->fragment_table_start; + } + + if (super->export_table_start > lower_limit && + super->export_table_start < upper_limit) { + lower_limit = super->export_table_start; + } + tbl->num_ids = super->id_count; tbl->max_ids = super->id_count; tbl->ids = sqfs_read_table(fd, cmp, tbl->num_ids * sizeof(uint32_t), - super->id_table_start); + super->id_table_start, lower_limit, + upper_limit); if (tbl->ids == NULL) return -1; |