From e31c0fcd809a649b70e6bab08a8b89f9ced07510 Mon Sep 17 00:00:00 2001
From: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Date: Fri, 23 Aug 2019 13:25:14 +0200
Subject: Check against format limits in meta_reader_read_dir_header

The SquashFS kernel implementation insists that a directory header is
followed by no more than an upper bound of entries, way less than what
the filed itself actually supports.

This commit makes sure that the meta_reader_read_dir_header function
also enforces that same limit.

Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
---
 lib/sqfs/readdir.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'lib')

diff --git a/lib/sqfs/readdir.c b/lib/sqfs/readdir.c
index 598ccc2..d67d264 100644
--- a/lib/sqfs/readdir.c
+++ b/lib/sqfs/readdir.c
@@ -20,6 +20,13 @@ int meta_reader_read_dir_header(meta_reader_t *m, sqfs_dir_header_t *hdr)
 	hdr->count = le32toh(hdr->count);
 	hdr->start_block = le32toh(hdr->start_block);
 	hdr->inode_number = le32toh(hdr->inode_number);
+
+	if (hdr->count > (SQFS_MAX_DIR_ENT - 1)) {
+		fputs("Found a directory header with too many entries\n",
+		      stderr);
+		return -1;
+	}
+
 	return 0;
 }
 
-- 
cgit v1.2.3