From 768d36ec643268fac24f961b2948fecd1d2e7310 Mon Sep 17 00:00:00 2001 From: David Oberhollenzer Date: Tue, 8 Oct 2019 00:35:44 +0200 Subject: Fix recovery of directory index in inode reader Apparently mksquashfs writes an actual usage count (1 = 1 entry, 2 = 2 entries; i.e. NOT off by one). Also, if it does happen to be garbage, guard against an overflow. Signed-off-by: David Oberhollenzer --- lib/sqfs/read_inode.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/lib/sqfs/read_inode.c b/lib/sqfs/read_inode.c index e47395a..fa3ec31 100644 --- a/lib/sqfs/read_inode.c +++ b/lib/sqfs/read_inode.c @@ -261,7 +261,7 @@ static int read_inode_dir_ext(sqfs_meta_reader_t *ir, sqfs_inode_t *base, return 0; } - for (i = 0; i <= dir.inodex_count; ++i) { + for (i = 0; i < dir.inodex_count; ++i) { err = sqfs_meta_reader_read(ir, &ent, sizeof(ent)); if (err) { free(out); @@ -273,8 +273,12 @@ static int read_inode_dir_ext(sqfs_meta_reader_t *ir, sqfs_inode_t *base, SWAB32(ent.size); new_sz = index_max; - while (sizeof(ent) + ent.size + 1 > new_sz - index_used) - new_sz *= 2; + while (sizeof(ent) + ent.size + 1 > new_sz - index_used) { + if (SZ_MUL_OV(new_sz, 2, &new_sz)) { + free(out); + return SQFS_ERROR_OVERFLOW; + } + } if (new_sz > index_max) { new = realloc(out, sizeof(*out) + new_sz); -- cgit v1.2.3