From a145b172b45b0afa131f44e00dfd90e88088069b Mon Sep 17 00:00:00 2001
From: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Date: Thu, 25 Jul 2019 23:19:32 +0200
Subject: Fix checks of super block block size

Make sure range is checked when reading a block and that the check is
made correctly. Also make the block log check a little more strict.

Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
---
 lib/sqfs/read_super.c | 27 +++++++++++++++++----------
 lib/sqfs/super.c      |  2 +-
 2 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/lib/sqfs/read_super.c b/lib/sqfs/read_super.c
index fff3d50..f14a881 100644
--- a/lib/sqfs/read_super.c
+++ b/lib/sqfs/read_super.c
@@ -58,19 +58,22 @@ int sqfs_super_read(sqfs_super_t *super, int fd)
 		return -1;
 	}
 
-	if (temp.block_log > 0 && temp.block_log < 32) {
-		block_size = 1;
-
-		for (i = 0; i < temp.block_log; ++i)
-			block_size <<= 1;
-	}
-
-	if (temp.block_size != block_size) {
-		fputs("Mismatch between block size and block log\n", stderr);
-		fputs("Filesystem probably currupted.\n", stderr);
+	if (temp.block_size < 4096 || temp.block_size >= (1 << 20)) {
+		fputs("Block size in iamge not between 4k and 1M\n", stderr);
 		return -1;
 	}
 
+	if (temp.block_log < 12 || temp.block_log > 20)
+		goto fail_block_log;
+
+	block_size = 1;
+
+	for (i = 0; i < temp.block_log; ++i)
+		block_size <<= 1;
+
+	if (temp.block_size != block_size)
+		goto fail_block_log;
+
 	if (temp.compression_id < SQFS_COMP_MIN ||
 	    temp.compression_id > SQFS_COMP_MAX) {
 		fputs("Image uses an unsupported compressor\n", stderr);
@@ -84,4 +87,8 @@ int sqfs_super_read(sqfs_super_t *super, int fd)
 
 	memcpy(super, &temp, sizeof(temp));
 	return 0;
+fail_block_log:
+	fputs("Mismatch between block size and block log\n", stderr);
+	fputs("Filesystem probably currupted.\n", stderr);
+	return -1;
 }
diff --git a/lib/sqfs/super.c b/lib/sqfs/super.c
index d90e6ea..7a7f0da 100644
--- a/lib/sqfs/super.c
+++ b/lib/sqfs/super.c
@@ -19,7 +19,7 @@ int sqfs_super_init(sqfs_super_t *super, size_t block_size, uint32_t mtime,
 		return -1;
 	}
 
-	if (block_size < 4096 || block_size >= (1 << 24)) {
+	if (block_size < 4096 || block_size >= (1 << 20)) {
 		fputs("Block size must be between 4k and 1M\n", stderr);
 		return -1;
 	}
-- 
cgit v1.2.3