From 0d2125014c22caf55b0e5f3cfe11aa516cd6c2e3 Mon Sep 17 00:00:00 2001 From: David Oberhollenzer Date: Sun, 22 Aug 2021 13:40:12 +0200 Subject: Tighten bounds checks in sqfs_dir_reader_reader Use the same size check as sqfs_dir_reader_open_dir and report EOF, even if it is possible to read the header itself, but nothing beyond that. Also check if it should be possible to read an entry header before attempting and report EOF if not. Signed-off-by: David Oberhollenzer --- lib/sqfs/dir_reader.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/sqfs/dir_reader.c b/lib/sqfs/dir_reader.c index e6467ef..f560069 100644 --- a/lib/sqfs/dir_reader.c +++ b/lib/sqfs/dir_reader.c @@ -164,7 +164,7 @@ int sqfs_dir_reader_read(sqfs_dir_reader_t *rd, sqfs_dir_entry_t **out) int err; if (!rd->entries) { - if (rd->size < sizeof(rd->hdr)) + if (rd->size <= sizeof(rd->hdr)) return 1; err = sqfs_meta_reader_read_dir_header(rd->meta_dir, &rd->hdr); @@ -175,6 +175,12 @@ int sqfs_dir_reader_read(sqfs_dir_reader_t *rd, sqfs_dir_entry_t **out) rd->entries = rd->hdr.count + 1; } + if (rd->size <= sizeof(*ent)) { + rd->size = 0; + rd->entries = 0; + return 1; + } + err = sqfs_meta_reader_read_dir_ent(rd->meta_dir, &ent); if (err) return err; -- cgit v1.2.3