mirror of https://github.com/vitalif/e2fsprogs
libext2fs: avoid buffer overflow if s_first_meta_bg is too big
If s_first_meta_bg is greater than the of number block group descriptor blocks, then reading or writing the block group descriptors will end up overruning the memory buffer allocated for the descriptors. Fix this by limiting first_meta_bg to no more than fs->desc_blocks. This doesn't correct the bad s_first_meta_bg value, but it avoids causing the e2fsprogs userspace programs from potentially crashing. Signed-off-by: Theodore Ts'o <tytso@mit.edu>test-maint
parent
f00948ad1d
commit
f66e6ce444
|
@ -344,9 +344,11 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
|
|||
* superblocks and group descriptors.
|
||||
*/
|
||||
group_ptr = (char *) group_shadow;
|
||||
if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
|
||||
if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
|
||||
old_desc_blocks = fs->super->s_first_meta_bg;
|
||||
else
|
||||
if (old_desc_blocks > fs->super->s_first_meta_bg)
|
||||
old_desc_blocks = fs->desc_blocks;
|
||||
} else
|
||||
old_desc_blocks = fs->desc_blocks;
|
||||
|
||||
ext2fs_numeric_progress_init(fs, &progress, NULL,
|
||||
|
|
|
@ -378,9 +378,11 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
|
|||
#ifdef WORDS_BIGENDIAN
|
||||
groups_per_block = EXT2_DESC_PER_BLOCK(fs->super);
|
||||
#endif
|
||||
if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
|
||||
if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
|
||||
first_meta_bg = fs->super->s_first_meta_bg;
|
||||
else
|
||||
if (first_meta_bg > fs->desc_blocks)
|
||||
first_meta_bg = fs->desc_blocks;
|
||||
} else
|
||||
first_meta_bg = fs->desc_blocks;
|
||||
if (first_meta_bg) {
|
||||
retval = io_channel_read_blk(fs->io, group_block +
|
||||
|
|
Loading…
Reference in New Issue