From 3ef7c3bb37e40de2653daf306e8bcb2a87446271 Mon Sep 17 00:00:00 2001 From: David Oberhollenzer Date: Sun, 22 Aug 2021 13:40:12 +0200 Subject: Tighten bounds checks in sqfs_dir_reader_reader Use the same size check as sqfs_dir_reader_open_dir and report EOF, even if it is possible to read the header itself, but nothing beyond that. Also check if it should be possible to read an entry header before attempting and report EOF if not. Signed-off-by: David Oberhollenzer --- lib/sqfs/dir_reader.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/sqfs/dir_reader.c b/lib/sqfs/dir_reader.c index e6467ef..f560069 100644 --- a/lib/sqfs/dir_reader.c +++ b/lib/sqfs/dir_reader.c @@ -164,7 +164,7 @@ int sqfs_dir_reader_read(sqfs_dir_reader_t *rd, sqfs_dir_entry_t **out) int err; if (!rd->entries) { - if (rd->size < sizeof(rd->hdr)) + if (rd->size <= sizeof(rd->hdr)) return 1; err = sqfs_meta_reader_read_dir_header(rd->meta_dir, &rd->hdr); @@ -175,6 +175,12 @@ int sqfs_dir_reader_read(sqfs_dir_reader_t *rd, sqfs_dir_entry_t **out) rd->entries = rd->hdr.count + 1; } + if (rd->size <= sizeof(*ent)) { + rd->size = 0; + rd->entries = 0; + return 1; + } + err = sqfs_meta_reader_read_dir_ent(rd->meta_dir, &ent); if (err) return err; -- cgit v1.2.3